From 57ed4c5d015ca6fcf6e5e3993e63701acae2864c Mon Sep 17 00:00:00 2001 From: Tristan Britt <53545754+trbritt@users.noreply.github.com> Date: Mon, 19 Aug 2024 12:26:48 -0700 Subject: [PATCH] initial visibility restriction (#22) * initial visibility restriction * finalized visibility restriction * fmt * satisfy ci --- src/fields/extensions.rs | 8 +++++--- src/fields/fp.rs | 6 +++++- src/fields/fp12.rs | 23 ++++++----------------- src/fields/fp2.rs | 4 ++-- src/fields/fp6.rs | 14 +++++--------- src/fields/mod.rs | 10 +++++----- src/fields/utils.rs | 4 ++-- src/groups/g1.rs | 4 ++-- src/groups/g2.rs | 28 ++++++++++++++-------------- src/groups/group.rs | 23 ++++++++++++----------- src/groups/gt.rs | 6 +++--- src/groups/mod.rs | 8 ++++---- src/hasher.rs | 8 ++++---- src/lib.rs | 8 ++++---- src/pairing.rs | 27 +++++++++++++++------------ src/svdw.rs | 6 +++--- 16 files changed, 91 insertions(+), 96 deletions(-) diff --git a/src/fields/extensions.rs b/src/fields/extensions.rs index 3fe0049..a959dae 100644 --- a/src/fields/extensions.rs +++ b/src/fields/extensions.rs @@ -17,7 +17,9 @@ use std::ops::{Add, AddAssign, Neg, Sub, SubAssign}; // since the underlying Mul, Add, etc., are not, and const traits are in the works // https://github.com/rust-lang/rust/issues/67792 #[derive(Copy, Clone, Debug)] -pub struct FieldExtension>(pub [F; N]); +pub struct FieldExtension>( + pub(crate) [F; N], +); impl> From for FieldExtension @@ -32,13 +34,13 @@ impl> FieldExtensio /// This is a const constructor that takes a slice of field elements and returns a field extension /// The usage of the generics means that it is possible to instantiate any representation of /// an extension need. - pub const fn new(c: &[F; N]) -> Self { + pub(crate) const fn new(c: &[F; N]) -> Self { Self(*c) } /// There is eventually a need to be able to perform multiplication across different field /// extensions, and more or less this corresponds to a basic scaling, see /// - pub fn scale(&self, factor: F) -> Self { + pub(crate) fn scale(&self, factor: F) -> Self { let mut i = 0; let mut retval = [F::zero(); N]; while i < N { diff --git a/src/fields/fp.rs b/src/fields/fp.rs index 450b690..47145ff 100644 --- a/src/fields/fp.rs +++ b/src/fields/fp.rs @@ -43,7 +43,7 @@ use num_traits::{Euclid, Inv, One, Pow, Zero}; use std::ops::{Add, AddAssign, Div, DivAssign, Mul, MulAssign, Neg, Rem, Sub, SubAssign}; use subtle::CtOption; -pub const BN254_FP_MODULUS: Fp = Fp::new(U256::from_words([ +pub(crate) const BN254_FP_MODULUS: Fp = Fp::new(U256::from_words([ 0x3C208C16D87CFD47, 0x97816A916871CA8D, 0xB85045B68181585D, @@ -59,6 +59,7 @@ pub const BN254_FP_MODULUS: Fp = Fp::new(U256::from_words([ /// used to generate the quotient field F(x)/f(x)), D, and (ii) the number of elements /// required for a unique representation of an element in the extension, N. An extension can have /// many different representations, so it is key to allow this flexibility. +/// pub trait FieldExtensionTrait: Sized + Copy @@ -90,6 +91,9 @@ pub trait FieldExtensionTrait: fn curve_constant() -> Self; } +/// Visibility settings in rust on macro exports make this seem as not use, even though its +/// public and is indeed used ... +#[allow(dead_code)] pub trait FinitePrimeField: FieldExtensionTrait + Rem + Euclid + Pow + From where diff --git a/src/fields/fp12.rs b/src/fields/fp12.rs index 6ab8730..2b7b63f 100644 --- a/src/fields/fp12.rs +++ b/src/fields/fp12.rs @@ -175,7 +175,7 @@ const FP12_QUADRATIC_NON_RESIDUE: Fp12 = Fp12::new(&[ ]), ]); -pub type Fp12 = FieldExtension<12, 2, Fp6>; +pub(crate) type Fp12 = FieldExtension<12, 2, Fp6>; impl FieldExtensionTrait<12, 2> for Fp12 { fn quadratic_non_residue() -> Self { @@ -259,21 +259,10 @@ impl ConditionallySelectable for Fp12 { } /// Below are additional functions needed on Fp12 for the pairing operations impl Fp12 { - pub fn unitary_inverse(&self) -> Self { + pub(crate) fn unitary_inverse(&self) -> Self { Self::new(&[self.0[0], -self.0[1]]) } - pub fn pow(&self, arg: &[u64; 4]) -> Self { - let mut res = Self::one(); - for e in arg.iter().rev() { - for i in (0..64).rev() { - res = res.square(); - if ((*e >> i) & 1) == 1 { - res *= *self; - } - } - } - res - } + /// Due to the efficiency considerations of storing only the nonzero entries in the sparse /// Fp12, there is a need to implement sparse multiplication on Fp12, which is what the /// madness below is. It is an amalgamation of Algs 21-25 of @@ -298,7 +287,7 @@ impl Fp12 { /// The function below is called by `zcash`, `bn`, and `arkworks` as `mul_by_024`, referring to /// the indices of the non-zero elements in the 6x Fp2 representation above for the /// multiplication. - pub fn sparse_mul(&self, ell_0: Fp2, ell_vw: Fp2, ell_vv: Fp2) -> Fp12 { + pub(crate) fn sparse_mul(&self, ell_0: Fp2, ell_vw: Fp2, ell_vv: Fp2) -> Fp12 { let z0 = self.0[0].0[0]; let z1 = self.0[0].0[1]; let z2 = self.0[0].0[2]; @@ -362,7 +351,7 @@ impl Fp12 { Fp12::new(&[Fp6::new(&[z0, z1, z2]), Fp6::new(&[z3, z4, z5])]) } - pub fn frobenius(&self, exponent: usize) -> Self { + pub(crate) fn frobenius(&self, exponent: usize) -> Self { Self::new(&[ self.0[0].frobenius(exponent), self.0[1] @@ -370,7 +359,7 @@ impl Fp12 { .scale(FROBENIUS_COEFF_FP12_C1[exponent % 12]), ]) } - pub fn square(&self) -> Self { + pub(crate) fn square(&self) -> Self { // For F_{p^{12}} = F_{p^6}(w)/(w^2-\gamma), and A=a_0 + a_1*w \in F_{p^{12}}, // we determine C=c_0+c_1*w = A^2\in F_{p^{12}} // Alg 22 from diff --git a/src/fields/fp2.rs b/src/fields/fp2.rs index fb23e2c..3cb9a1e 100644 --- a/src/fields/fp2.rs +++ b/src/fields/fp2.rs @@ -10,7 +10,7 @@ use std::ops::{Div, DivAssign, Mul, MulAssign}; use subtle::{Choice, ConstantTimeEq, CtOption}; const FP2_QUADRATIC_NON_RESIDUE: Fp2 = Fp2::new(&[Fp::NINE, Fp::ONE]); -pub const TWO_INV: Fp = Fp::new(U256::from_words([ +pub(crate) const TWO_INV: Fp = Fp::new(U256::from_words([ 11389680472494603940, 14681934109093717318, 15863968012492123182, @@ -65,7 +65,7 @@ impl Fp2 { res } - pub fn residue_mul(&self) -> Self { + pub(crate) fn residue_mul(&self) -> Self { self * &FP2_QUADRATIC_NON_RESIDUE } pub fn frobenius(&self, exponent: usize) -> Self { diff --git a/src/fields/fp6.rs b/src/fields/fp6.rs index 2b6f663..d2de000 100644 --- a/src/fields/fp6.rs +++ b/src/fields/fp6.rs @@ -8,7 +8,7 @@ use crate::fields::fp2::Fp2; use crypto_bigint::{rand_core::CryptoRngCore, subtle::ConditionallySelectable, U256}; use num_traits::{Inv, One, Zero}; use std::ops::{Div, DivAssign, Mul, MulAssign}; -use subtle::{Choice, CtOption}; +use subtle::Choice; // the following values are a bit difficult to compute. The reason // is that they involve operations up to p^11, which occupy a U4096 @@ -171,13 +171,13 @@ const FP6_QUADRATIC_NON_RESIDUE: Fp6 = Fp6::new(&[ Fp2::new(&[Fp::ZERO, Fp::ZERO]), ]); -pub type Fp6 = FieldExtension<6, 3, Fp2>; +pub(crate) type Fp6 = FieldExtension<6, 3, Fp2>; impl Fp6 { - pub fn residue_mul(&self) -> Self { + pub(crate) fn residue_mul(&self) -> Self { Self([self.0[2].residue_mul(), self.0[0], self.0[1]]) } - pub fn frobenius(&self, exponent: usize) -> Self { + pub(crate) fn frobenius(&self, exponent: usize) -> Self { Self::new(&[ self.0[0].frobenius(exponent), self.0[1].frobenius(exponent) * FROBENIUS_COEFF_FP6_C1[exponent % 6], @@ -185,15 +185,11 @@ impl Fp6 { ]) } - pub fn sqrt(&self) -> CtOption { - unimplemented!() - } - // this is simply the same as the multiplication below // however, there are some simple algebraic reductions // you can do with squaring. this just implements that, // but functionally it is the same as the `Mul` trait below - pub fn square(&self) -> Self { + pub(crate) fn square(&self) -> Self { let t0 = self.0[0].square(); let cross = self.0[0] * self.0[1]; let t1 = cross + cross; diff --git a/src/fields/mod.rs b/src/fields/mod.rs index 191494e..894228a 100644 --- a/src/fields/mod.rs +++ b/src/fields/mod.rs @@ -1,6 +1,6 @@ mod extensions; -pub mod fp; -pub mod fp12; -pub mod fp2; -pub mod fp6; -pub mod utils; +pub(crate) mod fp; +pub(crate) mod fp12; +pub(crate) mod fp2; +pub(crate) mod fp6; +pub(crate) mod utils; diff --git a/src/fields/utils.rs b/src/fields/utils.rs index b4443d5..46a85be 100644 --- a/src/fields/utils.rs +++ b/src/fields/utils.rs @@ -1,6 +1,6 @@ use crypto_bigint::{Encoding, U256, U512}; -pub fn to_larger_uint(smaller_bytes: &[u8; N]) -> [u8; M] { +pub(crate) fn to_larger_uint(smaller_bytes: &[u8; N]) -> [u8; M] { assert!(M > N, "Target size must be larger than source size"); let mut larger_bytes = [0u8; M]; larger_bytes[M - N..].copy_from_slice(smaller_bytes); @@ -8,6 +8,6 @@ pub fn to_larger_uint(smaller_bytes: &[u8; N]) - } // Specific conversion functions -pub fn u256_to_u512(u256: &U256) -> U512 { +pub(crate) fn u256_to_u512(u256: &U256) -> U512 { U512::from_be_bytes(to_larger_uint::<32, 64>(&u256.to_be_bytes())) } diff --git a/src/groups/g1.rs b/src/groups/g1.rs index d5377de..ab62945 100644 --- a/src/groups/g1.rs +++ b/src/groups/g1.rs @@ -18,9 +18,9 @@ use crypto_bigint::rand_core::CryptoRngCore; use num_traits::Zero; use subtle::{Choice, ConstantTimeEq}; -pub type G1Affine = GroupAffine<1, 1, Fp>; +pub(crate) type G1Affine = GroupAffine<1, 1, Fp>; -pub type G1Projective = GroupProjective<1, 1, Fp>; +pub(crate) type G1Projective = GroupProjective<1, 1, Fp>; impl GroupTrait<1, 1, Fp> for G1Affine { fn generator() -> Self { diff --git a/src/groups/g2.rs b/src/groups/g2.rs index 373d1d1..a239daf 100644 --- a/src/groups/g2.rs +++ b/src/groups/g2.rs @@ -11,7 +11,7 @@ //! representations. The internal translation does not induce that much overhead really, but it //! is something to keep in mind. //! -//! All public facing methods here implement the subgroup check to ensure that the user cannot +//! All pub(crate) lic facing methods here implement the subgroup check to ensure that the user cannot //! input a value in $E^\prime(F_{p^2})$ that is not in the r-torsion. use crate::fields::fp::{FieldExtensionTrait, Fp, Fr}; @@ -56,7 +56,7 @@ const G2_Y: Fp2 = Fp2::new(&[ ])), ]); // the first constant of the endomorphism, $\xi^((p-1)/3)$, see below -pub const EPS_EXP0: Fp2 = Fp2::new(&[ +pub(crate) const EPS_EXP0: Fp2 = Fp2::new(&[ Fp::new(U256::from_words([ 11088870908804158781, 13226160682434769676, @@ -71,7 +71,7 @@ pub const EPS_EXP0: Fp2 = Fp2::new(&[ ])), ]); // the second constant of the endomorphism, $\xi^((p-1)/2)$, see below -pub const EPS_EXP1: Fp2 = Fp2::new(&[ +pub(crate) const EPS_EXP1: Fp2 = Fp2::new(&[ Fp::new(U256::from_words([ 15876315988453495642, 15828711151707445656, @@ -86,17 +86,10 @@ pub const EPS_EXP1: Fp2 = Fp2::new(&[ ])), ]); -// the cofactor of $\mathbb{G}_2$ -const C2: Fp = Fp::new(U256::from_words([ - 17887900258952609094, - 8020209761171036667, - 0, - 0, -])); // the parameter that generates this member of the BN family -pub const BLS_X: Fp = Fp::new(U256::from_words([4965661367192848881, 0, 0, 0])); +pub(crate) const BLS_X: Fp = Fp::new(U256::from_words([4965661367192848881, 0, 0, 0])); -pub type G2Affine = GroupAffine<2, 2, Fp2>; +pub(crate) type G2Affine = GroupAffine<2, 2, Fp2>; pub type G2Projective = GroupProjective<2, 2, Fp2>; @@ -193,6 +186,13 @@ impl GroupTrait<2, 2, Fp2> for G2Projective { /// through the `new` constructor to ensure that the random value does indeed pass the curve /// and subgroup checks fn rand(rng: &mut R) -> Self { + // the cofactor of $\mathbb{G}_2$ + const C2: Fp = Fp::new(U256::from_words([ + 17887900258952609094, + 8020209761171036667, + 0, + 0, + ])); let rando = Fp::new(Fr::rand(rng).value()); let mut tmp = Self::generator() * rando; @@ -232,7 +232,7 @@ impl G2Affine { /// This method is used internally for rapid, low overhead, conversion of types when there /// are formulae that don't have clean versions in projective coordinates. The 'unchecked' /// refers to the fact that these points are not subjected to a subgroup verification, and - /// therefore this method is not exposed publicly. + /// therefore this method is not exposed pub(crate) licly. /// /// DON'T USE THIS METHOD UNLESS YOU KNOW WHAT YOU'RE DOING fn new_unchecked(v: [Fp2; 2]) -> Result { @@ -256,7 +256,7 @@ impl G2Affine { } } impl G2Projective { - /// The public entrypoint to making a value in $\mathbb{G}_2$. This takes the (x,y,z) values + /// The pub(crate) lic entrypoint to making a value in $\mathbb{G}_2$. This takes the (x,y,z) values /// from the user, and passes them through a subgroup and curve check to ensure validity. /// Values returned from this function are guaranteed to be on the curve and in the r-torsion. pub fn new(v: [Fp2; 3]) -> Result { diff --git a/src/groups/group.rs b/src/groups/group.rs index 9fd77b7..625b8af 100644 --- a/src/groups/group.rs +++ b/src/groups/group.rs @@ -58,6 +58,7 @@ pub trait GroupTrait Self; } @@ -68,9 +69,9 @@ pub struct GroupAffine> PartialEq } } impl> GroupAffine { - pub fn zero() -> Self { + pub(crate) fn zero() -> Self { Self { x: F::zero(), y: F::one(), @@ -149,7 +150,7 @@ impl> GroupAffine bool { + pub(crate) fn is_zero(&self) -> bool { bool::from(self.infinity) } } @@ -165,16 +166,16 @@ pub struct GroupProjective> GroupProjective { /// This is the point at infinity! This object really is the additive identity of the group, /// when the group law is addition, which it is here. It satisfies the properties that /// $zero+a=a$ for some $a$ in the group, as well as $a+(-a)=zero$, which means that the /// convention zero makes the most sense to me here. - pub fn zero() -> Self { + pub(crate) fn zero() -> Self { Self { x: F::zero(), y: F::one(), @@ -182,7 +183,7 @@ impl> GroupProjecti } } - pub fn is_zero(&self) -> bool { + pub(crate) fn is_zero(&self) -> bool { self.z.is_zero() } @@ -192,7 +193,7 @@ impl> GroupProjecti /// Complexity: /// `6M`(ultiplications) + `2S`(quarings) /// + `1m`(ultiplication by scalar) + `9A`(dditions) - pub fn double(&self) -> Self { + pub(crate) fn double(&self) -> Self { let t0 = self.y * self.y; let z3 = t0 + t0; let z3 = z3 + z3; diff --git a/src/groups/gt.rs b/src/groups/gt.rs index cb14b8c..d6c0658 100644 --- a/src/groups/gt.rs +++ b/src/groups/gt.rs @@ -106,7 +106,7 @@ const GT: Fp12 = Fp12::new(&[ ]); #[derive(Copy, Clone, Debug)] -pub struct Gt(pub Fp12); +pub(crate) struct Gt(pub(crate) Fp12); impl<'a> Neg for &'a Gt { type Output = Gt; @@ -226,12 +226,12 @@ impl GroupTrait<12, 2, Fp12> for Gt { } impl Gt { /// Returns the group identity, which is $1$. - pub fn identity() -> Gt { + pub(crate) fn identity() -> Gt { Gt(Fp12::one()) } /// Doubles this group element. - pub fn double(&self) -> Gt { + pub(crate) fn double(&self) -> Gt { Gt(self.0.square()) } } diff --git a/src/groups/mod.rs b/src/groups/mod.rs index 05aa285..aa0c08c 100644 --- a/src/groups/mod.rs +++ b/src/groups/mod.rs @@ -1,7 +1,7 @@ -pub mod g1; -pub mod g2; -pub mod group; -pub mod gt; +pub(crate) mod g1; +pub(crate) mod g2; +pub(crate) mod group; +pub(crate) mod gt; /// This test suite takes time, the biggest culprit of which is the multiplication. Really the /// biggest bottleneck is assuredly the loading of the reference data from disk. The diff --git a/src/hasher.rs b/src/hasher.rs index 662808e..1d119f2 100644 --- a/src/hasher.rs +++ b/src/hasher.rs @@ -9,7 +9,7 @@ use sha3::digest::crypto_common::BlockSizeUser; use sha3::digest::{ExtendableOutput, FixedOutput}; use std::array::TryFromSliceError; #[derive(Debug)] -pub enum HashError { +pub(crate) enum HashError { CastToField, ExpandMessage, ConvertInt, @@ -22,7 +22,7 @@ fn i2osp(val: u64, length: usize) -> Result, HashError> { } Ok(val.to_be_bytes()[8 - length..].to_vec()) } -pub trait Expander { +pub(crate) trait Expander { const OVERSIZE_DST_PREFIX: &'static [u8] = b"H2C-OVERSIZE-DST-"; fn expand_message(&self, msg: &[u8], len_in_bytes: usize) -> Result, HashError>; @@ -54,7 +54,7 @@ pub trait Expander { } } -pub struct XMDExpander { +pub(crate) struct XMDExpander { /// This implements the XMD function, which produces a uniformly random /// byte string using a hash function that outputs b bits. /// Usage of this function is recommended only with Sha2 and Sha3 hashes. @@ -65,7 +65,7 @@ pub struct XMDExpander { } impl XMDExpander { - pub fn new(dst: &[u8], security_param: u64) -> Self { + pub(crate) fn new(dst: &[u8], security_param: u64) -> Self { let dst_prime = if dst.len() > 255 { let mut hasher = D::default(); hasher.update(Self::OVERSIZE_DST_PREFIX); diff --git a/src/lib.rs b/src/lib.rs index 59c9f4d..4ec84ff 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -33,7 +33,7 @@ use subtle::ConstantTimeEq; const DST: &[u8; 30] = b"WARLOCK-CHAOS-V01-CS01-SHA-256"; const SECURITY_BITS: u64 = 128; -/// This is a basic struct that simply contains a pair of (private, pub) keys for later use in +/// This is a basic struct that simply contains a pair of (private, pub ) keys for later use in /// the signature and verification #[derive(Debug, Copy, Clone)] pub struct KeyPair { @@ -63,13 +63,13 @@ pub fn sign(k: &Fp, msg: &[u8]) -> Result { } } -/// This takes a public key, message, and a signature, and verifies that the signature is valid -pub fn verify(pub_key: &G2Projective, msg: &[u8], sig: &G1Projective) -> Result { +/// This takes a pub lic key, message, and a signature, and verifies that the signature is valid +pub fn verify(pubkey: &G2Projective, msg: &[u8], sig: &G1Projective) -> Result { let expander = XMDExpander::::new(DST, SECURITY_BITS); match G1Projective::hash_to_curve(&expander, msg) { Ok(hashed_message) => { let lhs = pairing(sig, &G2Projective::generator()); - let rhs = pairing(&hashed_message, pub_key); + let rhs = pairing(&hashed_message, pubkey); Ok(lhs.ct_eq(&rhs).into()) } _ => Err(GroupError::CannotHashToGroup), diff --git a/src/pairing.rs b/src/pairing.rs index 15944da..55eff75 100644 --- a/src/pairing.rs +++ b/src/pairing.rs @@ -23,7 +23,7 @@ const ATE_LOOP_COUNT_NAF: [i8; 64] = [ 1, 0, 0, 0, ]; #[derive(Copy, Clone, Debug)] -pub struct MillerLoopResult(pub Fp12); +pub(crate) struct MillerLoopResult(pub(crate) Fp12); impl Default for MillerLoopResult { fn default() -> Self { MillerLoopResult(Fp12::one()) @@ -71,10 +71,10 @@ impl<'b> MulAssign<&'b MillerLoopResult> for MillerLoopResult { /// zero, which is not ideal. We therefore only keep the 3 nonzero coefficients returned by these /// evaluations. These nonzero coeffs are stored in the struct below. #[derive(PartialEq, Default, Clone, Copy)] -pub struct Ell(Fp2, Fp2, Fp2); +pub(crate) struct Ell(Fp2, Fp2, Fp2); impl MillerLoopResult { - pub fn final_exponentiation(&self) -> Gt { + pub(crate) fn final_exponentiation(&self) -> Gt { /// As part of the cyclotomic acceleration of the final exponentiation step, there is a /// shortcut to take when using multiplication in Fp4. We built the tower of extensions using /// degrees 2, 6, and 12, but there is an additional way to write Fp12: @@ -142,7 +142,7 @@ impl MillerLoopResult { /// This is a simple double and add algorithm for exponentiation. You can get more /// complicated algorithms if you go to a compressed representation, such as Algorithm /// 5.5.4, listing 27 - pub fn cyclotomic_exp(f: Fp12, exponent: &Fp) -> Fp12 { + pub(crate) fn cyclotomic_exp(f: Fp12, exponent: &Fp) -> Fp12 { let bits = exponent.value().to_words(); let mut res = Fp12::one(); for e in bits.iter().rev() { @@ -157,7 +157,7 @@ impl MillerLoopResult { } /// This is a helper function to determine f^z, where $z$ is the generator of this /// particular member of the BN family - pub fn exp_by_neg_z(f: Fp12) -> Fp12 { + pub(crate) fn exp_by_neg_z(f: Fp12) -> Fp12 { cyclotomic_exp(f, &BLS_X).unitary_inverse() } /// The below is the easy part of the final exponentiation step, corresponding to Lines @@ -227,12 +227,12 @@ impl MillerLoopResult { /// digits, each also with an addition step. After the loop, there are 2 more addition steps, so /// the total number of coefficients we need to store is 64+9+12+2 = 87. #[derive(PartialEq)] -pub struct G2PreComputed { - pub q: G2Affine, - pub coeffs: [Ell; 87], +pub(crate) struct G2PreComputed { + pub(crate) q: G2Affine, + pub(crate) coeffs: [Ell; 87], } impl G2PreComputed { - pub fn miller_loop(&self, g1: &G1Affine) -> MillerLoopResult { + pub(crate) fn miller_loop(&self, g1: &G1Affine) -> MillerLoopResult { let mut f = Fp12::one(); let mut idx = 0; @@ -348,7 +348,7 @@ impl G2Projective { ) } } -pub fn pairing(p: &G1Projective, q: &G2Projective) -> Gt { +pub(crate) fn pairing(p: &G1Projective, q: &G2Projective) -> Gt { let p = &G1Affine::from(p); let q = &G2Affine::from(q); let either_zero = Choice::from((p.is_zero() | q.is_zero()) as u8); @@ -359,7 +359,10 @@ pub fn pairing(p: &G1Projective, q: &G2Projective) -> Gt { tmp.final_exponentiation() } -pub fn glued_miller_loop(g2_precomps: &[G2PreComputed], g1s: &[G1Affine]) -> MillerLoopResult { +pub(crate) fn glued_miller_loop( + g2_precomps: &[G2PreComputed], + g1s: &[G1Affine], +) -> MillerLoopResult { let mut f = Fp12::one(); let mut idx = 0; for i in ATE_LOOP_COUNT_NAF.iter() { @@ -390,7 +393,7 @@ pub fn glued_miller_loop(g2_precomps: &[G2PreComputed], g1s: &[G1Affine]) -> Mil MillerLoopResult(f) } #[allow(dead_code)] -pub fn glued_pairing(g1s: &[G1Projective], g2s: &[G2Projective]) -> Gt { +pub(crate) fn glued_pairing(g1s: &[G1Projective], g2s: &[G2Projective]) -> Gt { let g1s = g1s.iter().map(G1Affine::from).collect::>(); let g2s = g2s.iter().map(G2Affine::from).collect::>(); let g2_precomps = g2s diff --git a/src/svdw.rs b/src/svdw.rs index 97d5065..1752f91 100644 --- a/src/svdw.rs +++ b/src/svdw.rs @@ -18,11 +18,11 @@ use num_traits::{Inv, Zero}; use subtle::Choice; #[derive(Debug)] -pub enum MapError { +pub(crate) enum MapError { SvdWError, } #[derive(Debug)] -pub struct SvdW { +pub(crate) struct SvdW { a: Fp, b: Fp, c1: Fp, @@ -32,7 +32,7 @@ pub struct SvdW { z: Fp, } -pub trait SvdWTrait: Sized { +pub(crate) trait SvdWTrait: Sized { /// This is the actual struct containing the relevant information. There are a few input /// constants, namely the coefficients A and B that define the curve in its short Weierstrass /// representation. The constants c1-c4 and Z are determined by the algorithm.