[WIP] curve: enable the unreachable_pub lint

In #850 I noticed there are a lot of places that internal types are
currently marked `pub` which is a bit confusing when trying to reason
about whether APIs allow for violating invariants.

This enables the `unreachable_pub` lint which can automatically check
for such situations. Most of them were corrected automatically using
`cargo fix`

Author: tarcieri

curve25519-dalek/src/backend.rs

@@ -37,7 +37,7 @@
 use crate::EdwardsPoint;
 use crate::Scalar;
 
-pub mod serial;
+pub(crate) mod serial;
 
 #[cfg(curve25519_dalek_backend = "simd")]
 pub mod vector;
@@ -76,7 +76,7 @@ fn get_selected_backend() -> BackendKind {
 
 #[allow(missing_docs)]
 #[cfg(feature = "alloc")]
-pub fn pippenger_optional_multiscalar_mul<I, J>(scalars: I, points: J) -> Option<EdwardsPoint>
+pub(crate) fn pippenger_optional_multiscalar_mul<I, J>(scalars: I, points: J) -> Option<EdwardsPoint>
 where
     I: IntoIterator,
     I::Item: core::borrow::Borrow<Scalar>,
@@ -109,7 +109,7 @@ pub(crate) enum VartimePrecomputedStraus {
 
 #[cfg(feature = "alloc")]
 impl VartimePrecomputedStraus {
-    pub fn new<I>(static_points: I) -> Self
+    pub(crate) fn new<I>(static_points: I) -> Self
     where
         I: IntoIterator,
         I::Item: core::borrow::Borrow<EdwardsPoint>,
@@ -129,7 +129,7 @@ impl VartimePrecomputedStraus {
     }
 
     /// Return the number of static points in the precomputation.
-    pub fn len(&self) -> usize {
+    pub(crate) fn len(&self) -> usize {
         use crate::traits::VartimePrecomputedMultiscalarMul;
 
         match self {
@@ -142,7 +142,7 @@ impl VartimePrecomputedStraus {
     }
 
     /// Determine if the precomputation is empty.
-    pub fn is_empty(&self) -> bool {
+    pub(crate) fn is_empty(&self) -> bool {
         use crate::traits::VartimePrecomputedMultiscalarMul;
 
         match self {
@@ -154,7 +154,7 @@ impl VartimePrecomputedStraus {
         }
     }
 
-    pub fn optional_mixed_multiscalar_mul<I, J, K>(
+    pub(crate) fn optional_mixed_multiscalar_mul<I, J, K>(
         &self,
         static_scalars: I,
         dynamic_scalars: J,
@@ -193,7 +193,7 @@ impl VartimePrecomputedStraus {
 
 #[allow(missing_docs)]
 #[cfg(feature = "alloc")]
-pub fn straus_multiscalar_mul<I, J>(scalars: I, points: J) -> EdwardsPoint
+pub(crate) fn straus_multiscalar_mul<I, J>(scalars: I, points: J) -> EdwardsPoint
 where
     I: IntoIterator,
     I::Item: core::borrow::Borrow<Scalar>,
@@ -221,7 +221,7 @@ where
 
 #[allow(missing_docs)]
 #[cfg(feature = "alloc")]
-pub fn straus_optional_multiscalar_mul<I, J>(scalars: I, points: J) -> Option<EdwardsPoint>
+pub(crate) fn straus_optional_multiscalar_mul<I, J>(scalars: I, points: J) -> Option<EdwardsPoint>
 where
     I: IntoIterator,
     I::Item: core::borrow::Borrow<Scalar>,
@@ -250,7 +250,7 @@ where
 }
 
 /// Perform constant-time, variable-base scalar multiplication.
-pub fn variable_base_mul(point: &EdwardsPoint, scalar: &Scalar) -> EdwardsPoint {
+pub(crate) fn variable_base_mul(point: &EdwardsPoint, scalar: &Scalar) -> EdwardsPoint {
     match get_selected_backend() {
         #[cfg(curve25519_dalek_backend = "simd")]
         BackendKind::Avx2 => vector::scalar_mul::variable_base::spec_avx2::mul(point, scalar),
@@ -264,7 +264,7 @@ pub fn variable_base_mul(point: &EdwardsPoint, scalar: &Scalar) -> EdwardsPoint
 
 /// Compute \\(aA + bB\\) in variable time, where \\(B\\) is the Ed25519 basepoint.
 #[allow(non_snake_case)]
-pub fn vartime_double_base_mul(a: &Scalar, A: &EdwardsPoint, b: &Scalar) -> EdwardsPoint {
+pub(crate) fn vartime_double_base_mul(a: &Scalar, A: &EdwardsPoint, b: &Scalar) -> EdwardsPoint {
     match get_selected_backend() {
         #[cfg(curve25519_dalek_backend = "simd")]
         BackendKind::Avx2 => vector::scalar_mul::vartime_double_base::spec_avx2::mul(a, A, b),

curve25519-dalek/src/backend/serial.rs

@@ -39,11 +39,11 @@ cfg_if! {
 
         #[cfg(curve25519_dalek_bits = "64")]
         #[doc(hidden)]
-        pub mod u64;
+        pub(crate) mod u64;
 
     }
 }
 
-pub mod curve_models;
+pub(crate) mod curve_models;
 
-pub mod scalar_mul;
+pub(crate) mod scalar_mul;

curve25519-dalek/src/backend/serial/scalar_mul.rs

@@ -18,16 +18,16 @@
 //! curve model.
 
 #[allow(missing_docs)]
-pub mod variable_base;
+pub(crate) mod variable_base;
 
 #[allow(missing_docs)]
-pub mod vartime_double_base;
+pub(crate) mod vartime_double_base;
 
 #[cfg(feature = "alloc")]
-pub mod straus;
+pub(crate) mod straus;
 
 #[cfg(feature = "alloc")]
-pub mod precomputed_straus;
+pub(crate) mod precomputed_straus;
 
 #[cfg(feature = "alloc")]
-pub mod pippenger;
+pub(crate) mod pippenger;

curve25519-dalek/src/backend/serial/scalar_mul/pippenger.rs

@@ -59,7 +59,7 @@ use crate::traits::VartimeMultiscalarMul;
 /// Therefore, the optimal choice of `w` grows slowly as `n` grows.
 ///
 /// This algorithm is adapted from section 4 of <https://eprint.iacr.org/2012/549.pdf>.
-pub struct Pippenger;
+pub(crate) struct Pippenger;
 
 impl VartimeMultiscalarMul for Pippenger {
     type Point = EdwardsPoint;

curve25519-dalek/src/backend/serial/scalar_mul/precomputed_straus.rs

@@ -26,7 +26,7 @@ use crate::traits::VartimePrecomputedMultiscalarMul;
 use crate::window::{NafLookupTable5, NafLookupTable8};
 
 #[allow(missing_docs)]
-pub struct VartimePrecomputedStraus {
+pub(crate) struct VartimePrecomputedStraus {
     static_lookup_tables: Vec<NafLookupTable8<AffineNielsPoint>>,
 }
 

curve25519-dalek/src/backend/serial/scalar_mul/straus.rs

@@ -44,7 +44,7 @@ use crate::traits::VartimeMultiscalarMul;
 ///
 /// [solution]: https://www.jstor.org/stable/2310929
 /// [problem]: https://www.jstor.org/stable/2312273
-pub struct Straus {}
+pub(crate) struct Straus {}
 
 impl MultiscalarMul for Straus {
     type Point = EdwardsPoint;

curve25519-dalek/src/backend/serial/scalar_mul/vartime_double_base.rs

@@ -20,7 +20,7 @@ use crate::traits::Identity;
 use crate::window::NafLookupTable5;
 
 /// Compute \\(aA + bB\\) in variable time, where \\(B\\) is the Ed25519 basepoint.
-pub fn mul(a: &Scalar, A: &EdwardsPoint, b: &Scalar) -> EdwardsPoint {
+pub(crate) fn mul(a: &Scalar, A: &EdwardsPoint, b: &Scalar) -> EdwardsPoint {
     let a_naf = a.non_adjacent_form(5);
 
     #[cfg(feature = "precomputed-tables")]

curve25519-dalek/src/backend/serial/u64.rs

@@ -20,8 +20,8 @@
 //! (allowing the CPU to compute two carry chains in parallel).  These
 //! will be used if available.
 
-pub mod field;
+pub(crate) mod field;
 
-pub mod scalar;
+pub(crate) mod scalar;
 
-pub mod constants;
+pub(crate) mod constants;

curve25519-dalek/src/backend/serial/u64/scalar.rs

@@ -23,7 +23,7 @@ use crate::constants;
 /// The `Scalar52` struct represents an element in
 /// \\(\mathbb Z / \ell \mathbb Z\\) as 5 \\(52\\)-bit limbs.
 #[derive(Copy, Clone)]
-pub struct Scalar52(pub [u64; 5]);
+pub(crate) struct Scalar52(pub [u64; 5]);
 
 impl Debug for Scalar52 {
     fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
@@ -59,11 +59,11 @@ fn m(x: u64, y: u64) -> u128 {
 
 impl Scalar52 {
     /// The scalar \\( 0 \\).
-    pub const ZERO: Scalar52 = Scalar52([0, 0, 0, 0, 0]);
+    pub(crate) const ZERO: Scalar52 = Scalar52([0, 0, 0, 0, 0]);
 
     /// Unpack a 32 byte / 256 bit scalar into 5 52-bit limbs.
     #[rustfmt::skip] // keep alignment of s[*] calculations
-    pub fn from_bytes(bytes: &[u8; 32]) -> Scalar52 {
+    pub(crate) fn from_bytes(bytes: &[u8; 32]) -> Scalar52 {
         let mut words = [0u64; 4];
         for i in 0..4 {
             for j in 0..8 {
@@ -86,7 +86,7 @@ impl Scalar52 {
 
     /// Reduce a 64 byte / 512 bit scalar mod l
     #[rustfmt::skip] // keep alignment of lo[*] and hi[*] calculations
-    pub fn from_bytes_wide(bytes: &[u8; 64]) -> Scalar52 {
+    pub(crate) fn from_bytes_wide(bytes: &[u8; 64]) -> Scalar52 {
         let mut words = [0u64; 8];
         for i in 0..8 {
             for j in 0..8 {
@@ -118,7 +118,7 @@ impl Scalar52 {
     /// Pack the limbs of this `Scalar52` into 32 bytes
     #[rustfmt::skip] // keep alignment of s[*] calculations
     #[allow(clippy::identity_op)]
-    pub fn to_bytes(self) -> [u8; 32] {
+    pub(crate) fn to_bytes(self) -> [u8; 32] {
         let mut s = [0u8; 32];
 
         s[ 0] =  (self.0[ 0] >>  0)                      as u8;
@@ -158,7 +158,7 @@ impl Scalar52 {
     }
 
     /// Compute `a + b` (mod l)
-    pub fn add(a: &Scalar52, b: &Scalar52) -> Scalar52 {
+    pub(crate) fn add(a: &Scalar52, b: &Scalar52) -> Scalar52 {
         let mut sum = Scalar52::ZERO;
         let mask = (1u64 << 52) - 1;
 
@@ -174,7 +174,7 @@ impl Scalar52 {
     }
 
     /// Compute `a - b` (mod l)
-    pub fn sub(a: &Scalar52, b: &Scalar52) -> Scalar52 {
+    pub(crate) fn sub(a: &Scalar52, b: &Scalar52) -> Scalar52 {
         let mut difference = Scalar52::ZERO;
         let mask = (1u64 << 52) - 1;
 
@@ -299,41 +299,41 @@ impl Scalar52 {
 
     /// Compute `a * b` (mod l)
     #[inline(never)]
-    pub fn mul(a: &Scalar52, b: &Scalar52) -> Scalar52 {
+    pub(crate) fn mul(a: &Scalar52, b: &Scalar52) -> Scalar52 {
         let ab = Scalar52::montgomery_reduce(&Scalar52::mul_internal(a, b));
         Scalar52::montgomery_reduce(&Scalar52::mul_internal(&ab, &constants::RR))
     }
 
     /// Compute `a^2` (mod l)
     #[inline(never)]
     #[allow(dead_code)] // XXX we don't expose square() via the Scalar API
-    pub fn square(&self) -> Scalar52 {
+    pub(crate) fn square(&self) -> Scalar52 {
         let aa = Scalar52::montgomery_reduce(&Scalar52::square_internal(self));
         Scalar52::montgomery_reduce(&Scalar52::mul_internal(&aa, &constants::RR))
     }
 
     /// Compute `(a * b) / R` (mod l), where R is the Montgomery modulus 2^260
     #[inline(never)]
-    pub fn montgomery_mul(a: &Scalar52, b: &Scalar52) -> Scalar52 {
+    pub(crate) fn montgomery_mul(a: &Scalar52, b: &Scalar52) -> Scalar52 {
         Scalar52::montgomery_reduce(&Scalar52::mul_internal(a, b))
     }
 
     /// Compute `(a^2) / R` (mod l) in Montgomery form, where R is the Montgomery modulus 2^260
     #[inline(never)]
-    pub fn montgomery_square(&self) -> Scalar52 {
+    pub(crate) fn montgomery_square(&self) -> Scalar52 {
         Scalar52::montgomery_reduce(&Scalar52::square_internal(self))
     }
 
     /// Puts a Scalar52 in to Montgomery form, i.e. computes `a*R (mod l)`
     #[inline(never)]
-    pub fn as_montgomery(&self) -> Scalar52 {
+    pub(crate) fn as_montgomery(&self) -> Scalar52 {
         Scalar52::montgomery_mul(self, &constants::RR)
     }
 
     /// Takes a Scalar52 out of Montgomery form, i.e. computes `a/R (mod l)`
     #[allow(clippy::wrong_self_convention)]
     #[inline(never)]
-    pub fn from_montgomery(&self) -> Scalar52 {
+    pub(crate) fn from_montgomery(&self) -> Scalar52 {
         let mut limbs = [0u128; 9];
         for i in 0..5 {
             limbs[i] = self[i] as u128;
@@ -352,7 +352,7 @@ mod test {
     /// x = 14474011154664524427946373126085988481658748083205070504932198000989141204991
     /// x = 7237005577332262213973186563042994240801631723825162898930247062703686954002 mod l
     /// x = 3057150787695215392275360544382990118917283750546154083604586903220563173085*R mod l in Montgomery form
-    pub static X: Scalar52 = Scalar52([
+    pub(super) static X: Scalar52 = Scalar52([
         0x000fffffffffffff,
         0x000fffffffffffff,
         0x000fffffffffffff,
@@ -361,7 +361,7 @@ mod test {
     ]);
 
     /// x^2 = 3078544782642840487852506753550082162405942681916160040940637093560259278169 mod l
-    pub static XX: Scalar52 = Scalar52([
+    pub(super) static XX: Scalar52 = Scalar52([
         0x0001668020217559,
         0x000531640ffd0ec0,
         0x00085fd6f9f38a31,
@@ -370,7 +370,7 @@ mod test {
     ]);
 
     /// x^2 = 4413052134910308800482070043710297189082115023966588301924965890668401540959*R mod l in Montgomery form
-    pub static XX_MONT: Scalar52 = Scalar52([
+    pub(super) static XX_MONT: Scalar52 = Scalar52([
         0x000c754eea569a5c,
         0x00063b6ed36cb215,
         0x0008ffa36bf25886,
@@ -379,7 +379,7 @@ mod test {
     ]);
 
     /// y = 6145104759870991071742105800796537629880401874866217824609283457819451087098
-    pub static Y: Scalar52 = Scalar52([
+    pub(super) static Y: Scalar52 = Scalar52([
         0x000b75071e1458fa,
         0x000bf9d75e1ecdac,
         0x000433d2baf0672b,
@@ -388,7 +388,7 @@ mod test {
     ]);
 
     /// x*y = 36752150652102274958925982391442301741 mod l
-    pub static XY: Scalar52 = Scalar52([
+    pub(super) static XY: Scalar52 = Scalar52([
         0x000ee6d76ba7632d,
         0x000ed50d71d84e02,
         0x00000000001ba634,
@@ -397,7 +397,7 @@ mod test {
     ]);
 
     /// x*y = 658448296334113745583381664921721413881518248721417041768778176391714104386*R mod l in Montgomery form
-    pub static XY_MONT: Scalar52 = Scalar52([
+    pub(super) static XY_MONT: Scalar52 = Scalar52([
         0x0006d52bf200cfd5,
         0x00033fb1d7021570,
         0x000f201bc07139d8,
@@ -406,7 +406,7 @@ mod test {
     ]);
 
     /// a = 2351415481556538453565687241199399922945659411799870114962672658845158063753
-    pub static A: Scalar52 = Scalar52([
+    pub(super) static A: Scalar52 = Scalar52([
         0x0005236c07b3be89,
         0x0001bc3d2a67c0c4,
         0x000a4aa782aae3ee,
@@ -415,7 +415,7 @@ mod test {
     ]);
 
     /// b = 4885590095775723760407499321843594317911456947580037491039278279440296187236
-    pub static B: Scalar52 = Scalar52([
+    pub(super) static B: Scalar52 = Scalar52([
         0x000d3fae55421564,
         0x000c2df24f65a4bc,
         0x0005b5587d69fb0b,
@@ -425,7 +425,7 @@ mod test {
 
     /// a+b = 0
     /// a-b = 4702830963113076907131374482398799845891318823599740229925345317690316127506
-    pub static AB: Scalar52 = Scalar52([
+    pub(super) static AB: Scalar52 = Scalar52([
         0x000a46d80f677d12,
         0x0003787a54cf8188,
         0x0004954f0555c7dc,
@@ -434,7 +434,7 @@ mod test {
     ]);
 
     // c = (2^512 - 1) % l = 1627715501170711445284395025044413883736156588369414752970002579683115011840
-    pub static C: Scalar52 = Scalar52([
+    pub(super) static C: Scalar52 = Scalar52([
         0x000611e3449c0f00,
         0x000a768859347a40,
         0x0007f5be65d00e1b,

curve25519-dalek/src/edwards.rs

@@ -1810,7 +1810,7 @@ mod test {
     ]);
 
     /// 4493907448824000747700850167940867464579944529806937181821189941592931634714
-    pub static A_SCALAR: Scalar = Scalar {
+    pub(super) static A_SCALAR: Scalar = Scalar {
         bytes: [
             0x1a, 0x0e, 0x97, 0x8a, 0x90, 0xf6, 0x62, 0x2d, 0x37, 0x47, 0x02, 0x3f, 0x8a, 0xd8,
             0x26, 0x4d, 0xa7, 0x58, 0xaa, 0x1b, 0x88, 0xe0, 0x40, 0xd1, 0x58, 0x9e, 0x7b, 0x7f,
@@ -1819,7 +1819,7 @@ mod test {
     };
 
     /// 2506056684125797857694181776241676200180934651973138769173342316833279714961
-    pub static B_SCALAR: Scalar = Scalar {
+    pub(super) static B_SCALAR: Scalar = Scalar {
         bytes: [
             0x91, 0x26, 0x7a, 0xcf, 0x25, 0xc2, 0x09, 0x1b, 0xa2, 0x17, 0x74, 0x7b, 0x66, 0xf0,
             0xb3, 0x2e, 0x9d, 0xf2, 0xa5, 0x67, 0x41, 0xcf, 0xda, 0xc4, 0x56, 0xa7, 0xd4, 0xaa,
@@ -1828,7 +1828,7 @@ mod test {
     };
 
     /// A_SCALAR * basepoint, computed with ed25519.py
-    pub static A_TIMES_BASEPOINT: CompressedEdwardsY = CompressedEdwardsY([
+    pub(super) static A_TIMES_BASEPOINT: CompressedEdwardsY = CompressedEdwardsY([
         0xea, 0x27, 0xe2, 0x60, 0x53, 0xdf, 0x1b, 0x59, 0x56, 0xf1, 0x4d, 0x5d, 0xec, 0x3c, 0x34,
         0xc3, 0x84, 0xa2, 0x69, 0xb7, 0x4c, 0xc3, 0x80, 0x3e, 0xa8, 0xe2, 0xe7, 0xc9, 0x42, 0x5e,
         0x40, 0xa5,