From 31cb96b79c1989325112ecd820aa9c42a3f557a4 Mon Sep 17 00:00:00 2001
From: LewiGoddard <maxlivincia@outlook.com>
Date: Mon, 24 Oct 2022 15:44:58 +0000
Subject: [PATCH] all: use math/bits.RotateLeft

Updates golang/go#31456

Change-Id: Idf043a25632526baa190bf42ed360cb79f85e493
GitHub-Last-Rev: 59461578926a85a87cc68dac96c0b7559766b7cf
GitHub-Pull-Request: golang/crypto#195
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/356518
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Reviewed-by: David Chase <drchase@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
---
 cast5/cast5.go               |  11 +-
 md4/md4block.go              |  14 +--
 pkcs12/internal/rc2/rc2.go   |  53 +++++-----
 salsa20/salsa/hsalsa20.go    |  66 ++++++------
 salsa20/salsa/salsa208.go    |  66 ++++++------
 salsa20/salsa/salsa20_ref.go |  66 ++++++------
 sha3/keccakf.go              | 194 ++++++++++++++++++-----------------
 twofish/twofish.go           |  35 +++----
 8 files changed, 254 insertions(+), 251 deletions(-)

diff --git a/cast5/cast5.go b/cast5/cast5.go
index ddcbeb6..425e8ee 100644
--- a/cast5/cast5.go
+++ b/cast5/cast5.go
@@ -13,7 +13,10 @@
 // golang.org/x/crypto/chacha20poly1305).
 package cast5 // import "golang.org/x/crypto/cast5"
 
-import "errors"
+import (
+	"errors"
+	"math/bits"
+)
 
 const BlockSize = 8
 const KeySize = 16
@@ -241,19 +244,19 @@ func (c *Cipher) keySchedule(in []byte) {
 // These are the three 'f' functions. See RFC 2144, section 2.2.
 func f1(d, m uint32, r uint8) uint32 {
 	t := m + d
-	I := (t << r) | (t >> (32 - r))
+	I := bits.RotateLeft32(t, int(r))
 	return ((sBox[0][I>>24] ^ sBox[1][(I>>16)&0xff]) - sBox[2][(I>>8)&0xff]) + sBox[3][I&0xff]
 }
 
 func f2(d, m uint32, r uint8) uint32 {
 	t := m ^ d
-	I := (t << r) | (t >> (32 - r))
+	I := bits.RotateLeft32(t, int(r))
 	return ((sBox[0][I>>24] - sBox[1][(I>>16)&0xff]) + sBox[2][(I>>8)&0xff]) ^ sBox[3][I&0xff]
 }
 
 func f3(d, m uint32, r uint8) uint32 {
 	t := m - d
-	I := (t << r) | (t >> (32 - r))
+	I := bits.RotateLeft32(t, int(r))
 	return ((sBox[0][I>>24] + sBox[1][(I>>16)&0xff]) ^ sBox[2][(I>>8)&0xff]) - sBox[3][I&0xff]
 }
 
diff --git a/md4/md4block.go b/md4/md4block.go
index 3fed475..5ea1ba9 100644
--- a/md4/md4block.go
+++ b/md4/md4block.go
@@ -8,9 +8,11 @@
 
 package md4
 
-var shift1 = []uint{3, 7, 11, 19}
-var shift2 = []uint{3, 5, 9, 13}
-var shift3 = []uint{3, 9, 11, 15}
+import "math/bits"
+
+var shift1 = []int{3, 7, 11, 19}
+var shift2 = []int{3, 5, 9, 13}
+var shift3 = []int{3, 9, 11, 15}
 
 var xIndex2 = []uint{0, 4, 8, 12, 1, 5, 9, 13, 2, 6, 10, 14, 3, 7, 11, 15}
 var xIndex3 = []uint{0, 8, 4, 12, 2, 10, 6, 14, 1, 9, 5, 13, 3, 11, 7, 15}
@@ -48,7 +50,7 @@ func _Block(dig *digest, p []byte) int {
 			s := shift1[i%4]
 			f := ((c ^ d) & b) ^ d
 			a += f + X[x]
-			a = a<<s | a>>(32-s)
+			a = bits.RotateLeft32(a, s)
 			a, b, c, d = d, a, b, c
 		}
 
@@ -58,7 +60,7 @@ func _Block(dig *digest, p []byte) int {
 			s := shift2[i%4]
 			g := (b & c) | (b & d) | (c & d)
 			a += g + X[x] + 0x5a827999
-			a = a<<s | a>>(32-s)
+			a = bits.RotateLeft32(a, s)
 			a, b, c, d = d, a, b, c
 		}
 
@@ -68,7 +70,7 @@ func _Block(dig *digest, p []byte) int {
 			s := shift3[i%4]
 			h := b ^ c ^ d
 			a += h + X[x] + 0x6ed9eba1
-			a = a<<s | a>>(32-s)
+			a = bits.RotateLeft32(a, s)
 			a, b, c, d = d, a, b, c
 		}
 
diff --git a/pkcs12/internal/rc2/rc2.go b/pkcs12/internal/rc2/rc2.go
index 7499e3f..05de9cc 100644
--- a/pkcs12/internal/rc2/rc2.go
+++ b/pkcs12/internal/rc2/rc2.go
@@ -14,6 +14,7 @@ package rc2
 import (
 	"crypto/cipher"
 	"encoding/binary"
+	"math/bits"
 )
 
 // The rc2 block size in bytes
@@ -80,10 +81,6 @@ func expandKey(key []byte, t1 int) [64]uint16 {
 	return k
 }
 
-func rotl16(x uint16, b uint) uint16 {
-	return (x >> (16 - b)) | (x << b)
-}
-
 func (c *rc2Cipher) Encrypt(dst, src []byte) {
 
 	r0 := binary.LittleEndian.Uint16(src[0:])
@@ -96,22 +93,22 @@ func (c *rc2Cipher) Encrypt(dst, src []byte) {
 	for j <= 16 {
 		// mix r0
 		r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1)
-		r0 = rotl16(r0, 1)
+		r0 = bits.RotateLeft16(r0, 1)
 		j++
 
 		// mix r1
 		r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2)
-		r1 = rotl16(r1, 2)
+		r1 = bits.RotateLeft16(r1, 2)
 		j++
 
 		// mix r2
 		r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3)
-		r2 = rotl16(r2, 3)
+		r2 = bits.RotateLeft16(r2, 3)
 		j++
 
 		// mix r3
 		r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0)
-		r3 = rotl16(r3, 5)
+		r3 = bits.RotateLeft16(r3, 5)
 		j++
 
 	}
@@ -124,22 +121,22 @@ func (c *rc2Cipher) Encrypt(dst, src []byte) {
 	for j <= 40 {
 		// mix r0
 		r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1)
-		r0 = rotl16(r0, 1)
+		r0 = bits.RotateLeft16(r0, 1)
 		j++
 
 		// mix r1
 		r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2)
-		r1 = rotl16(r1, 2)
+		r1 = bits.RotateLeft16(r1, 2)
 		j++
 
 		// mix r2
 		r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3)
-		r2 = rotl16(r2, 3)
+		r2 = bits.RotateLeft16(r2, 3)
 		j++
 
 		// mix r3
 		r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0)
-		r3 = rotl16(r3, 5)
+		r3 = bits.RotateLeft16(r3, 5)
 		j++
 
 	}
@@ -152,22 +149,22 @@ func (c *rc2Cipher) Encrypt(dst, src []byte) {
 	for j <= 60 {
 		// mix r0
 		r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1)
-		r0 = rotl16(r0, 1)
+		r0 = bits.RotateLeft16(r0, 1)
 		j++
 
 		// mix r1
 		r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2)
-		r1 = rotl16(r1, 2)
+		r1 = bits.RotateLeft16(r1, 2)
 		j++
 
 		// mix r2
 		r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3)
-		r2 = rotl16(r2, 3)
+		r2 = bits.RotateLeft16(r2, 3)
 		j++
 
 		// mix r3
 		r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0)
-		r3 = rotl16(r3, 5)
+		r3 = bits.RotateLeft16(r3, 5)
 		j++
 	}
 
@@ -188,22 +185,22 @@ func (c *rc2Cipher) Decrypt(dst, src []byte) {
 
 	for j >= 44 {
 		// unmix r3
-		r3 = rotl16(r3, 16-5)
+		r3 = bits.RotateLeft16(r3, 16-5)
 		r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0)
 		j--
 
 		// unmix r2
-		r2 = rotl16(r2, 16-3)
+		r2 = bits.RotateLeft16(r2, 16-3)
 		r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3)
 		j--
 
 		// unmix r1
-		r1 = rotl16(r1, 16-2)
+		r1 = bits.RotateLeft16(r1, 16-2)
 		r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2)
 		j--
 
 		// unmix r0
-		r0 = rotl16(r0, 16-1)
+		r0 = bits.RotateLeft16(r0, 16-1)
 		r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1)
 		j--
 	}
@@ -215,22 +212,22 @@ func (c *rc2Cipher) Decrypt(dst, src []byte) {
 
 	for j >= 20 {
 		// unmix r3
-		r3 = rotl16(r3, 16-5)
+		r3 = bits.RotateLeft16(r3, 16-5)
 		r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0)
 		j--
 
 		// unmix r2
-		r2 = rotl16(r2, 16-3)
+		r2 = bits.RotateLeft16(r2, 16-3)
 		r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3)
 		j--
 
 		// unmix r1
-		r1 = rotl16(r1, 16-2)
+		r1 = bits.RotateLeft16(r1, 16-2)
 		r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2)
 		j--
 
 		// unmix r0
-		r0 = rotl16(r0, 16-1)
+		r0 = bits.RotateLeft16(r0, 16-1)
 		r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1)
 		j--
 
@@ -243,22 +240,22 @@ func (c *rc2Cipher) Decrypt(dst, src []byte) {
 
 	for j >= 0 {
 		// unmix r3
-		r3 = rotl16(r3, 16-5)
+		r3 = bits.RotateLeft16(r3, 16-5)
 		r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0)
 		j--
 
 		// unmix r2
-		r2 = rotl16(r2, 16-3)
+		r2 = bits.RotateLeft16(r2, 16-3)
 		r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3)
 		j--
 
 		// unmix r1
-		r1 = rotl16(r1, 16-2)
+		r1 = bits.RotateLeft16(r1, 16-2)
 		r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2)
 		j--
 
 		// unmix r0
-		r0 = rotl16(r0, 16-1)
+		r0 = bits.RotateLeft16(r0, 16-1)
 		r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1)
 		j--
 
diff --git a/salsa20/salsa/hsalsa20.go b/salsa20/salsa/hsalsa20.go
index 4c96147..3fd05b2 100644
--- a/salsa20/salsa/hsalsa20.go
+++ b/salsa20/salsa/hsalsa20.go
@@ -5,6 +5,8 @@
 // Package salsa provides low-level access to functions in the Salsa family.
 package salsa // import "golang.org/x/crypto/salsa20/salsa"
 
+import "math/bits"
+
 // Sigma is the Salsa20 constant for 256-bit keys.
 var Sigma = [16]byte{'e', 'x', 'p', 'a', 'n', 'd', ' ', '3', '2', '-', 'b', 'y', 't', 'e', ' ', 'k'}
 
@@ -31,76 +33,76 @@ func HSalsa20(out *[32]byte, in *[16]byte, k *[32]byte, c *[16]byte) {
 
 	for i := 0; i < 20; i += 2 {
 		u := x0 + x12
-		x4 ^= u<<7 | u>>(32-7)
+		x4 ^= bits.RotateLeft32(u, 7)
 		u = x4 + x0
-		x8 ^= u<<9 | u>>(32-9)
+		x8 ^= bits.RotateLeft32(u, 9)
 		u = x8 + x4
-		x12 ^= u<<13 | u>>(32-13)
+		x12 ^= bits.RotateLeft32(u, 13)
 		u = x12 + x8
-		x0 ^= u<<18 | u>>(32-18)
+		x0 ^= bits.RotateLeft32(u, 18)
 
 		u = x5 + x1
-		x9 ^= u<<7 | u>>(32-7)
+		x9 ^= bits.RotateLeft32(u, 7)
 		u = x9 + x5
-		x13 ^= u<<9 | u>>(32-9)
+		x13 ^= bits.RotateLeft32(u, 9)
 		u = x13 + x9
-		x1 ^= u<<13 | u>>(32-13)
+		x1 ^= bits.RotateLeft32(u, 13)
 		u = x1 + x13
-		x5 ^= u<<18 | u>>(32-18)
+		x5 ^= bits.RotateLeft32(u, 18)
 
 		u = x10 + x6
-		x14 ^= u<<7 | u>>(32-7)
+		x14 ^= bits.RotateLeft32(u, 7)
 		u = x14 + x10
-		x2 ^= u<<9 | u>>(32-9)
+		x2 ^= bits.RotateLeft32(u, 9)
 		u = x2 + x14
-		x6 ^= u<<13 | u>>(32-13)
+		x6 ^= bits.RotateLeft32(u, 13)
 		u = x6 + x2
-		x10 ^= u<<18 | u>>(32-18)
+		x10 ^= bits.RotateLeft32(u, 18)
 
 		u = x15 + x11
-		x3 ^= u<<7 | u>>(32-7)
+		x3 ^= bits.RotateLeft32(u, 7)
 		u = x3 + x15
-		x7 ^= u<<9 | u>>(32-9)
+		x7 ^= bits.RotateLeft32(u, 9)
 		u = x7 + x3
-		x11 ^= u<<13 | u>>(32-13)
+		x11 ^= bits.RotateLeft32(u, 13)
 		u = x11 + x7
-		x15 ^= u<<18 | u>>(32-18)
+		x15 ^= bits.RotateLeft32(u, 18)
 
 		u = x0 + x3
-		x1 ^= u<<7 | u>>(32-7)
+		x1 ^= bits.RotateLeft32(u, 7)
 		u = x1 + x0
-		x2 ^= u<<9 | u>>(32-9)
+		x2 ^= bits.RotateLeft32(u, 9)
 		u = x2 + x1
-		x3 ^= u<<13 | u>>(32-13)
+		x3 ^= bits.RotateLeft32(u, 13)
 		u = x3 + x2
-		x0 ^= u<<18 | u>>(32-18)
+		x0 ^= bits.RotateLeft32(u, 18)
 
 		u = x5 + x4
-		x6 ^= u<<7 | u>>(32-7)
+		x6 ^= bits.RotateLeft32(u, 7)
 		u = x6 + x5
-		x7 ^= u<<9 | u>>(32-9)
+		x7 ^= bits.RotateLeft32(u, 9)
 		u = x7 + x6
-		x4 ^= u<<13 | u>>(32-13)
+		x4 ^= bits.RotateLeft32(u, 13)
 		u = x4 + x7
-		x5 ^= u<<18 | u>>(32-18)
+		x5 ^= bits.RotateLeft32(u, 18)
 
 		u = x10 + x9
-		x11 ^= u<<7 | u>>(32-7)
+		x11 ^= bits.RotateLeft32(u, 7)
 		u = x11 + x10
-		x8 ^= u<<9 | u>>(32-9)
+		x8 ^= bits.RotateLeft32(u, 9)
 		u = x8 + x11
-		x9 ^= u<<13 | u>>(32-13)
+		x9 ^= bits.RotateLeft32(u, 13)
 		u = x9 + x8
-		x10 ^= u<<18 | u>>(32-18)
+		x10 ^= bits.RotateLeft32(u, 18)
 
 		u = x15 + x14
-		x12 ^= u<<7 | u>>(32-7)
+		x12 ^= bits.RotateLeft32(u, 7)
 		u = x12 + x15
-		x13 ^= u<<9 | u>>(32-9)
+		x13 ^= bits.RotateLeft32(u, 9)
 		u = x13 + x12
-		x14 ^= u<<13 | u>>(32-13)
+		x14 ^= bits.RotateLeft32(u, 13)
 		u = x14 + x13
-		x15 ^= u<<18 | u>>(32-18)
+		x15 ^= bits.RotateLeft32(u, 18)
 	}
 	out[0] = byte(x0)
 	out[1] = byte(x0 >> 8)
diff --git a/salsa20/salsa/salsa208.go b/salsa20/salsa/salsa208.go
index 9bfc092..7ec7bb3 100644
--- a/salsa20/salsa/salsa208.go
+++ b/salsa20/salsa/salsa208.go
@@ -4,6 +4,8 @@
 
 package salsa
 
+import "math/bits"
+
 // Core208 applies the Salsa20/8 core function to the 64-byte array in and puts
 // the result into the 64-byte array out. The input and output may be the same array.
 func Core208(out *[64]byte, in *[64]byte) {
@@ -29,76 +31,76 @@ func Core208(out *[64]byte, in *[64]byte) {
 
 	for i := 0; i < 8; i += 2 {
 		u := x0 + x12
-		x4 ^= u<<7 | u>>(32-7)
+		x4 ^= bits.RotateLeft32(u, 7)
 		u = x4 + x0
-		x8 ^= u<<9 | u>>(32-9)
+		x8 ^= bits.RotateLeft32(u, 9)
 		u = x8 + x4
-		x12 ^= u<<13 | u>>(32-13)
+		x12 ^= bits.RotateLeft32(u, 13)
 		u = x12 + x8
-		x0 ^= u<<18 | u>>(32-18)
+		x0 ^= bits.RotateLeft32(u, 18)
 
 		u = x5 + x1
-		x9 ^= u<<7 | u>>(32-7)
+		x9 ^= bits.RotateLeft32(u, 7)
 		u = x9 + x5
-		x13 ^= u<<9 | u>>(32-9)
+		x13 ^= bits.RotateLeft32(u, 9)
 		u = x13 + x9
-		x1 ^= u<<13 | u>>(32-13)
+		x1 ^= bits.RotateLeft32(u, 13)
 		u = x1 + x13
-		x5 ^= u<<18 | u>>(32-18)
+		x5 ^= bits.RotateLeft32(u, 18)
 
 		u = x10 + x6
-		x14 ^= u<<7 | u>>(32-7)
+		x14 ^= bits.RotateLeft32(u, 7)
 		u = x14 + x10
-		x2 ^= u<<9 | u>>(32-9)
+		x2 ^= bits.RotateLeft32(u, 9)
 		u = x2 + x14
-		x6 ^= u<<13 | u>>(32-13)
+		x6 ^= bits.RotateLeft32(u, 13)
 		u = x6 + x2
-		x10 ^= u<<18 | u>>(32-18)
+		x10 ^= bits.RotateLeft32(u, 18)
 
 		u = x15 + x11
-		x3 ^= u<<7 | u>>(32-7)
+		x3 ^= bits.RotateLeft32(u, 7)
 		u = x3 + x15
-		x7 ^= u<<9 | u>>(32-9)
+		x7 ^= bits.RotateLeft32(u, 9)
 		u = x7 + x3
-		x11 ^= u<<13 | u>>(32-13)
+		x11 ^= bits.RotateLeft32(u, 13)
 		u = x11 + x7
-		x15 ^= u<<18 | u>>(32-18)
+		x15 ^= bits.RotateLeft32(u, 18)
 
 		u = x0 + x3
-		x1 ^= u<<7 | u>>(32-7)
+		x1 ^= bits.RotateLeft32(u, 7)
 		u = x1 + x0
-		x2 ^= u<<9 | u>>(32-9)
+		x2 ^= bits.RotateLeft32(u, 9)
 		u = x2 + x1
-		x3 ^= u<<13 | u>>(32-13)
+		x3 ^= bits.RotateLeft32(u, 13)
 		u = x3 + x2
-		x0 ^= u<<18 | u>>(32-18)
+		x0 ^= bits.RotateLeft32(u, 18)
 
 		u = x5 + x4
-		x6 ^= u<<7 | u>>(32-7)
+		x6 ^= bits.RotateLeft32(u, 7)
 		u = x6 + x5
-		x7 ^= u<<9 | u>>(32-9)
+		x7 ^= bits.RotateLeft32(u, 9)
 		u = x7 + x6
-		x4 ^= u<<13 | u>>(32-13)
+		x4 ^= bits.RotateLeft32(u, 13)
 		u = x4 + x7
-		x5 ^= u<<18 | u>>(32-18)
+		x5 ^= bits.RotateLeft32(u, 18)
 
 		u = x10 + x9
-		x11 ^= u<<7 | u>>(32-7)
+		x11 ^= bits.RotateLeft32(u, 7)
 		u = x11 + x10
-		x8 ^= u<<9 | u>>(32-9)
+		x8 ^= bits.RotateLeft32(u, 9)
 		u = x8 + x11
-		x9 ^= u<<13 | u>>(32-13)
+		x9 ^= bits.RotateLeft32(u, 13)
 		u = x9 + x8
-		x10 ^= u<<18 | u>>(32-18)
+		x10 ^= bits.RotateLeft32(u, 18)
 
 		u = x15 + x14
-		x12 ^= u<<7 | u>>(32-7)
+		x12 ^= bits.RotateLeft32(u, 7)
 		u = x12 + x15
-		x13 ^= u<<9 | u>>(32-9)
+		x13 ^= bits.RotateLeft32(u, 9)
 		u = x13 + x12
-		x14 ^= u<<13 | u>>(32-13)
+		x14 ^= bits.RotateLeft32(u, 13)
 		u = x14 + x13
-		x15 ^= u<<18 | u>>(32-18)
+		x15 ^= bits.RotateLeft32(u, 18)
 	}
 	x0 += j0
 	x1 += j1
diff --git a/salsa20/salsa/salsa20_ref.go b/salsa20/salsa/salsa20_ref.go
index 68169c6..e5cdb9a 100644
--- a/salsa20/salsa/salsa20_ref.go
+++ b/salsa20/salsa/salsa20_ref.go
@@ -4,6 +4,8 @@
 
 package salsa
 
+import "math/bits"
+
 const rounds = 20
 
 // core applies the Salsa20 core function to 16-byte input in, 32-byte key k,
@@ -31,76 +33,76 @@ func core(out *[64]byte, in *[16]byte, k *[32]byte, c *[16]byte) {
 
 	for i := 0; i < rounds; i += 2 {
 		u := x0 + x12
-		x4 ^= u<<7 | u>>(32-7)
+		x4 ^= bits.RotateLeft32(u, 7)
 		u = x4 + x0
-		x8 ^= u<<9 | u>>(32-9)
+		x8 ^= bits.RotateLeft32(u, 9)
 		u = x8 + x4
-		x12 ^= u<<13 | u>>(32-13)
+		x12 ^= bits.RotateLeft32(u, 13)
 		u = x12 + x8
-		x0 ^= u<<18 | u>>(32-18)
+		x0 ^= bits.RotateLeft32(u, 18)
 
 		u = x5 + x1
-		x9 ^= u<<7 | u>>(32-7)
+		x9 ^= bits.RotateLeft32(u, 7)
 		u = x9 + x5
-		x13 ^= u<<9 | u>>(32-9)
+		x13 ^= bits.RotateLeft32(u, 9)
 		u = x13 + x9
-		x1 ^= u<<13 | u>>(32-13)
+		x1 ^= bits.RotateLeft32(u, 13)
 		u = x1 + x13
-		x5 ^= u<<18 | u>>(32-18)
+		x5 ^= bits.RotateLeft32(u, 18)
 
 		u = x10 + x6
-		x14 ^= u<<7 | u>>(32-7)
+		x14 ^= bits.RotateLeft32(u, 7)
 		u = x14 + x10
-		x2 ^= u<<9 | u>>(32-9)
+		x2 ^= bits.RotateLeft32(u, 9)
 		u = x2 + x14
-		x6 ^= u<<13 | u>>(32-13)
+		x6 ^= bits.RotateLeft32(u, 13)
 		u = x6 + x2
-		x10 ^= u<<18 | u>>(32-18)
+		x10 ^= bits.RotateLeft32(u, 18)
 
 		u = x15 + x11
-		x3 ^= u<<7 | u>>(32-7)
+		x3 ^= bits.RotateLeft32(u, 7)
 		u = x3 + x15
-		x7 ^= u<<9 | u>>(32-9)
+		x7 ^= bits.RotateLeft32(u, 9)
 		u = x7 + x3
-		x11 ^= u<<13 | u>>(32-13)
+		x11 ^= bits.RotateLeft32(u, 13)
 		u = x11 + x7
-		x15 ^= u<<18 | u>>(32-18)
+		x15 ^= bits.RotateLeft32(u, 18)
 
 		u = x0 + x3
-		x1 ^= u<<7 | u>>(32-7)
+		x1 ^= bits.RotateLeft32(u, 7)
 		u = x1 + x0
-		x2 ^= u<<9 | u>>(32-9)
+		x2 ^= bits.RotateLeft32(u, 9)
 		u = x2 + x1
-		x3 ^= u<<13 | u>>(32-13)
+		x3 ^= bits.RotateLeft32(u, 13)
 		u = x3 + x2
-		x0 ^= u<<18 | u>>(32-18)
+		x0 ^= bits.RotateLeft32(u, 18)
 
 		u = x5 + x4
-		x6 ^= u<<7 | u>>(32-7)
+		x6 ^= bits.RotateLeft32(u, 7)
 		u = x6 + x5
-		x7 ^= u<<9 | u>>(32-9)
+		x7 ^= bits.RotateLeft32(u, 9)
 		u = x7 + x6
-		x4 ^= u<<13 | u>>(32-13)
+		x4 ^= bits.RotateLeft32(u, 13)
 		u = x4 + x7
-		x5 ^= u<<18 | u>>(32-18)
+		x5 ^= bits.RotateLeft32(u, 18)
 
 		u = x10 + x9
-		x11 ^= u<<7 | u>>(32-7)
+		x11 ^= bits.RotateLeft32(u, 7)
 		u = x11 + x10
-		x8 ^= u<<9 | u>>(32-9)
+		x8 ^= bits.RotateLeft32(u, 9)
 		u = x8 + x11
-		x9 ^= u<<13 | u>>(32-13)
+		x9 ^= bits.RotateLeft32(u, 13)
 		u = x9 + x8
-		x10 ^= u<<18 | u>>(32-18)
+		x10 ^= bits.RotateLeft32(u, 18)
 
 		u = x15 + x14
-		x12 ^= u<<7 | u>>(32-7)
+		x12 ^= bits.RotateLeft32(u, 7)
 		u = x12 + x15
-		x13 ^= u<<9 | u>>(32-9)
+		x13 ^= bits.RotateLeft32(u, 9)
 		u = x13 + x12
-		x14 ^= u<<13 | u>>(32-13)
+		x14 ^= bits.RotateLeft32(u, 13)
 		u = x14 + x13
-		x15 ^= u<<18 | u>>(32-18)
+		x15 ^= bits.RotateLeft32(u, 18)
 	}
 	x0 += j0
 	x1 += j1
diff --git a/sha3/keccakf.go b/sha3/keccakf.go
index 0f4ae8b..e5faa37 100644
--- a/sha3/keccakf.go
+++ b/sha3/keccakf.go
@@ -7,6 +7,8 @@
 
 package sha3
 
+import "math/bits"
+
 // rc stores the round constants for use in the ι step.
 var rc = [24]uint64{
 	0x0000000000000001,
@@ -60,13 +62,13 @@ func keccakF1600(a *[25]uint64) {
 
 		bc0 = a[0] ^ d0
 		t = a[6] ^ d1
-		bc1 = t<<44 | t>>(64-44)
+		bc1 = bits.RotateLeft64(t, 44)
 		t = a[12] ^ d2
-		bc2 = t<<43 | t>>(64-43)
+		bc2 = bits.RotateLeft64(t, 43)
 		t = a[18] ^ d3
-		bc3 = t<<21 | t>>(64-21)
+		bc3 = bits.RotateLeft64(t, 21)
 		t = a[24] ^ d4
-		bc4 = t<<14 | t>>(64-14)
+		bc4 = bits.RotateLeft64(t, 14)
 		a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i]
 		a[6] = bc1 ^ (bc3 &^ bc2)
 		a[12] = bc2 ^ (bc4 &^ bc3)
@@ -74,15 +76,15 @@ func keccakF1600(a *[25]uint64) {
 		a[24] = bc4 ^ (bc1 &^ bc0)
 
 		t = a[10] ^ d0
-		bc2 = t<<3 | t>>(64-3)
+		bc2 = bits.RotateLeft64(t, 3)
 		t = a[16] ^ d1
-		bc3 = t<<45 | t>>(64-45)
+		bc3 = bits.RotateLeft64(t, 45)
 		t = a[22] ^ d2
-		bc4 = t<<61 | t>>(64-61)
+		bc4 = bits.RotateLeft64(t, 61)
 		t = a[3] ^ d3
-		bc0 = t<<28 | t>>(64-28)
+		bc0 = bits.RotateLeft64(t, 28)
 		t = a[9] ^ d4
-		bc1 = t<<20 | t>>(64-20)
+		bc1 = bits.RotateLeft64(t, 20)
 		a[10] = bc0 ^ (bc2 &^ bc1)
 		a[16] = bc1 ^ (bc3 &^ bc2)
 		a[22] = bc2 ^ (bc4 &^ bc3)
@@ -90,15 +92,15 @@ func keccakF1600(a *[25]uint64) {
 		a[9] = bc4 ^ (bc1 &^ bc0)
 
 		t = a[20] ^ d0
-		bc4 = t<<18 | t>>(64-18)
+		bc4 = bits.RotateLeft64(t, 18)
 		t = a[1] ^ d1
-		bc0 = t<<1 | t>>(64-1)
+		bc0 = bits.RotateLeft64(t, 1)
 		t = a[7] ^ d2
-		bc1 = t<<6 | t>>(64-6)
+		bc1 = bits.RotateLeft64(t, 6)
 		t = a[13] ^ d3
-		bc2 = t<<25 | t>>(64-25)
+		bc2 = bits.RotateLeft64(t, 25)
 		t = a[19] ^ d4
-		bc3 = t<<8 | t>>(64-8)
+		bc3 = bits.RotateLeft64(t, 8)
 		a[20] = bc0 ^ (bc2 &^ bc1)
 		a[1] = bc1 ^ (bc3 &^ bc2)
 		a[7] = bc2 ^ (bc4 &^ bc3)
@@ -106,15 +108,15 @@ func keccakF1600(a *[25]uint64) {
 		a[19] = bc4 ^ (bc1 &^ bc0)
 
 		t = a[5] ^ d0
-		bc1 = t<<36 | t>>(64-36)
+		bc1 = bits.RotateLeft64(t, 36)
 		t = a[11] ^ d1
-		bc2 = t<<10 | t>>(64-10)
+		bc2 = bits.RotateLeft64(t, 10)
 		t = a[17] ^ d2
-		bc3 = t<<15 | t>>(64-15)
+		bc3 = bits.RotateLeft64(t, 15)
 		t = a[23] ^ d3
-		bc4 = t<<56 | t>>(64-56)
+		bc4 = bits.RotateLeft64(t, 56)
 		t = a[4] ^ d4
-		bc0 = t<<27 | t>>(64-27)
+		bc0 = bits.RotateLeft64(t, 27)
 		a[5] = bc0 ^ (bc2 &^ bc1)
 		a[11] = bc1 ^ (bc3 &^ bc2)
 		a[17] = bc2 ^ (bc4 &^ bc3)
@@ -122,15 +124,15 @@ func keccakF1600(a *[25]uint64) {
 		a[4] = bc4 ^ (bc1 &^ bc0)
 
 		t = a[15] ^ d0
-		bc3 = t<<41 | t>>(64-41)
+		bc3 = bits.RotateLeft64(t, 41)
 		t = a[21] ^ d1
-		bc4 = t<<2 | t>>(64-2)
+		bc4 = bits.RotateLeft64(t, 2)
 		t = a[2] ^ d2
-		bc0 = t<<62 | t>>(64-62)
+		bc0 = bits.RotateLeft64(t, 62)
 		t = a[8] ^ d3
-		bc1 = t<<55 | t>>(64-55)
+		bc1 = bits.RotateLeft64(t, 55)
 		t = a[14] ^ d4
-		bc2 = t<<39 | t>>(64-39)
+		bc2 = bits.RotateLeft64(t, 39)
 		a[15] = bc0 ^ (bc2 &^ bc1)
 		a[21] = bc1 ^ (bc3 &^ bc2)
 		a[2] = bc2 ^ (bc4 &^ bc3)
@@ -151,13 +153,13 @@ func keccakF1600(a *[25]uint64) {
 
 		bc0 = a[0] ^ d0
 		t = a[16] ^ d1
-		bc1 = t<<44 | t>>(64-44)
+		bc1 = bits.RotateLeft64(t, 44)
 		t = a[7] ^ d2
-		bc2 = t<<43 | t>>(64-43)
+		bc2 = bits.RotateLeft64(t, 43)
 		t = a[23] ^ d3
-		bc3 = t<<21 | t>>(64-21)
+		bc3 = bits.RotateLeft64(t, 21)
 		t = a[14] ^ d4
-		bc4 = t<<14 | t>>(64-14)
+		bc4 = bits.RotateLeft64(t, 14)
 		a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+1]
 		a[16] = bc1 ^ (bc3 &^ bc2)
 		a[7] = bc2 ^ (bc4 &^ bc3)
@@ -165,15 +167,15 @@ func keccakF1600(a *[25]uint64) {
 		a[14] = bc4 ^ (bc1 &^ bc0)
 
 		t = a[20] ^ d0
-		bc2 = t<<3 | t>>(64-3)
+		bc2 = bits.RotateLeft64(t, 3)
 		t = a[11] ^ d1
-		bc3 = t<<45 | t>>(64-45)
+		bc3 = bits.RotateLeft64(t, 45)
 		t = a[2] ^ d2
-		bc4 = t<<61 | t>>(64-61)
+		bc4 = bits.RotateLeft64(t, 61)
 		t = a[18] ^ d3
-		bc0 = t<<28 | t>>(64-28)
+		bc0 = bits.RotateLeft64(t, 28)
 		t = a[9] ^ d4
-		bc1 = t<<20 | t>>(64-20)
+		bc1 = bits.RotateLeft64(t, 20)
 		a[20] = bc0 ^ (bc2 &^ bc1)
 		a[11] = bc1 ^ (bc3 &^ bc2)
 		a[2] = bc2 ^ (bc4 &^ bc3)
@@ -181,15 +183,15 @@ func keccakF1600(a *[25]uint64) {
 		a[9] = bc4 ^ (bc1 &^ bc0)
 
 		t = a[15] ^ d0
-		bc4 = t<<18 | t>>(64-18)
+		bc4 = bits.RotateLeft64(t, 18)
 		t = a[6] ^ d1
-		bc0 = t<<1 | t>>(64-1)
+		bc0 = bits.RotateLeft64(t, 1)
 		t = a[22] ^ d2
-		bc1 = t<<6 | t>>(64-6)
+		bc1 = bits.RotateLeft64(t, 6)
 		t = a[13] ^ d3
-		bc2 = t<<25 | t>>(64-25)
+		bc2 = bits.RotateLeft64(t, 25)
 		t = a[4] ^ d4
-		bc3 = t<<8 | t>>(64-8)
+		bc3 = bits.RotateLeft64(t, 8)
 		a[15] = bc0 ^ (bc2 &^ bc1)
 		a[6] = bc1 ^ (bc3 &^ bc2)
 		a[22] = bc2 ^ (bc4 &^ bc3)
@@ -197,15 +199,15 @@ func keccakF1600(a *[25]uint64) {
 		a[4] = bc4 ^ (bc1 &^ bc0)
 
 		t = a[10] ^ d0
-		bc1 = t<<36 | t>>(64-36)
+		bc1 = bits.RotateLeft64(t, 36)
 		t = a[1] ^ d1
-		bc2 = t<<10 | t>>(64-10)
+		bc2 = bits.RotateLeft64(t, 10)
 		t = a[17] ^ d2
-		bc3 = t<<15 | t>>(64-15)
+		bc3 = bits.RotateLeft64(t, 15)
 		t = a[8] ^ d3
-		bc4 = t<<56 | t>>(64-56)
+		bc4 = bits.RotateLeft64(t, 56)
 		t = a[24] ^ d4
-		bc0 = t<<27 | t>>(64-27)
+		bc0 = bits.RotateLeft64(t, 27)
 		a[10] = bc0 ^ (bc2 &^ bc1)
 		a[1] = bc1 ^ (bc3 &^ bc2)
 		a[17] = bc2 ^ (bc4 &^ bc3)
@@ -213,15 +215,15 @@ func keccakF1600(a *[25]uint64) {
 		a[24] = bc4 ^ (bc1 &^ bc0)
 
 		t = a[5] ^ d0
-		bc3 = t<<41 | t>>(64-41)
+		bc3 = bits.RotateLeft64(t, 41)
 		t = a[21] ^ d1
-		bc4 = t<<2 | t>>(64-2)
+		bc4 = bits.RotateLeft64(t, 2)
 		t = a[12] ^ d2
-		bc0 = t<<62 | t>>(64-62)
+		bc0 = bits.RotateLeft64(t, 62)
 		t = a[3] ^ d3
-		bc1 = t<<55 | t>>(64-55)
+		bc1 = bits.RotateLeft64(t, 55)
 		t = a[19] ^ d4
-		bc2 = t<<39 | t>>(64-39)
+		bc2 = bits.RotateLeft64(t, 39)
 		a[5] = bc0 ^ (bc2 &^ bc1)
 		a[21] = bc1 ^ (bc3 &^ bc2)
 		a[12] = bc2 ^ (bc4 &^ bc3)
@@ -242,13 +244,13 @@ func keccakF1600(a *[25]uint64) {
 
 		bc0 = a[0] ^ d0
 		t = a[11] ^ d1
-		bc1 = t<<44 | t>>(64-44)
+		bc1 = bits.RotateLeft64(t, 44)
 		t = a[22] ^ d2
-		bc2 = t<<43 | t>>(64-43)
+		bc2 = bits.RotateLeft64(t, 43)
 		t = a[8] ^ d3
-		bc3 = t<<21 | t>>(64-21)
+		bc3 = bits.RotateLeft64(t, 21)
 		t = a[19] ^ d4
-		bc4 = t<<14 | t>>(64-14)
+		bc4 = bits.RotateLeft64(t, 14)
 		a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+2]
 		a[11] = bc1 ^ (bc3 &^ bc2)
 		a[22] = bc2 ^ (bc4 &^ bc3)
@@ -256,15 +258,15 @@ func keccakF1600(a *[25]uint64) {
 		a[19] = bc4 ^ (bc1 &^ bc0)
 
 		t = a[15] ^ d0
-		bc2 = t<<3 | t>>(64-3)
+		bc2 = bits.RotateLeft64(t, 3)
 		t = a[1] ^ d1
-		bc3 = t<<45 | t>>(64-45)
+		bc3 = bits.RotateLeft64(t, 45)
 		t = a[12] ^ d2
-		bc4 = t<<61 | t>>(64-61)
+		bc4 = bits.RotateLeft64(t, 61)
 		t = a[23] ^ d3
-		bc0 = t<<28 | t>>(64-28)
+		bc0 = bits.RotateLeft64(t, 28)
 		t = a[9] ^ d4
-		bc1 = t<<20 | t>>(64-20)
+		bc1 = bits.RotateLeft64(t, 20)
 		a[15] = bc0 ^ (bc2 &^ bc1)
 		a[1] = bc1 ^ (bc3 &^ bc2)
 		a[12] = bc2 ^ (bc4 &^ bc3)
@@ -272,15 +274,15 @@ func keccakF1600(a *[25]uint64) {
 		a[9] = bc4 ^ (bc1 &^ bc0)
 
 		t = a[5] ^ d0
-		bc4 = t<<18 | t>>(64-18)
+		bc4 = bits.RotateLeft64(t, 18)
 		t = a[16] ^ d1
-		bc0 = t<<1 | t>>(64-1)
+		bc0 = bits.RotateLeft64(t, 1)
 		t = a[2] ^ d2
-		bc1 = t<<6 | t>>(64-6)
+		bc1 = bits.RotateLeft64(t, 6)
 		t = a[13] ^ d3
-		bc2 = t<<25 | t>>(64-25)
+		bc2 = bits.RotateLeft64(t, 25)
 		t = a[24] ^ d4
-		bc3 = t<<8 | t>>(64-8)
+		bc3 = bits.RotateLeft64(t, 8)
 		a[5] = bc0 ^ (bc2 &^ bc1)
 		a[16] = bc1 ^ (bc3 &^ bc2)
 		a[2] = bc2 ^ (bc4 &^ bc3)
@@ -288,15 +290,15 @@ func keccakF1600(a *[25]uint64) {
 		a[24] = bc4 ^ (bc1 &^ bc0)
 
 		t = a[20] ^ d0
-		bc1 = t<<36 | t>>(64-36)
+		bc1 = bits.RotateLeft64(t, 36)
 		t = a[6] ^ d1
-		bc2 = t<<10 | t>>(64-10)
+		bc2 = bits.RotateLeft64(t, 10)
 		t = a[17] ^ d2
-		bc3 = t<<15 | t>>(64-15)
+		bc3 = bits.RotateLeft64(t, 15)
 		t = a[3] ^ d3
-		bc4 = t<<56 | t>>(64-56)
+		bc4 = bits.RotateLeft64(t, 56)
 		t = a[14] ^ d4
-		bc0 = t<<27 | t>>(64-27)
+		bc0 = bits.RotateLeft64(t, 27)
 		a[20] = bc0 ^ (bc2 &^ bc1)
 		a[6] = bc1 ^ (bc3 &^ bc2)
 		a[17] = bc2 ^ (bc4 &^ bc3)
@@ -304,15 +306,15 @@ func keccakF1600(a *[25]uint64) {
 		a[14] = bc4 ^ (bc1 &^ bc0)
 
 		t = a[10] ^ d0
-		bc3 = t<<41 | t>>(64-41)
+		bc3 = bits.RotateLeft64(t, 41)
 		t = a[21] ^ d1
-		bc4 = t<<2 | t>>(64-2)
+		bc4 = bits.RotateLeft64(t, 2)
 		t = a[7] ^ d2
-		bc0 = t<<62 | t>>(64-62)
+		bc0 = bits.RotateLeft64(t, 62)
 		t = a[18] ^ d3
-		bc1 = t<<55 | t>>(64-55)
+		bc1 = bits.RotateLeft64(t, 55)
 		t = a[4] ^ d4
-		bc2 = t<<39 | t>>(64-39)
+		bc2 = bits.RotateLeft64(t, 39)
 		a[10] = bc0 ^ (bc2 &^ bc1)
 		a[21] = bc1 ^ (bc3 &^ bc2)
 		a[7] = bc2 ^ (bc4 &^ bc3)
@@ -333,13 +335,13 @@ func keccakF1600(a *[25]uint64) {
 
 		bc0 = a[0] ^ d0
 		t = a[1] ^ d1
-		bc1 = t<<44 | t>>(64-44)
+		bc1 = bits.RotateLeft64(t, 44)
 		t = a[2] ^ d2
-		bc2 = t<<43 | t>>(64-43)
+		bc2 = bits.RotateLeft64(t, 43)
 		t = a[3] ^ d3
-		bc3 = t<<21 | t>>(64-21)
+		bc3 = bits.RotateLeft64(t, 21)
 		t = a[4] ^ d4
-		bc4 = t<<14 | t>>(64-14)
+		bc4 = bits.RotateLeft64(t, 14)
 		a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+3]
 		a[1] = bc1 ^ (bc3 &^ bc2)
 		a[2] = bc2 ^ (bc4 &^ bc3)
@@ -347,15 +349,15 @@ func keccakF1600(a *[25]uint64) {
 		a[4] = bc4 ^ (bc1 &^ bc0)
 
 		t = a[5] ^ d0
-		bc2 = t<<3 | t>>(64-3)
+		bc2 = bits.RotateLeft64(t, 3)
 		t = a[6] ^ d1
-		bc3 = t<<45 | t>>(64-45)
+		bc3 = bits.RotateLeft64(t, 45)
 		t = a[7] ^ d2
-		bc4 = t<<61 | t>>(64-61)
+		bc4 = bits.RotateLeft64(t, 61)
 		t = a[8] ^ d3
-		bc0 = t<<28 | t>>(64-28)
+		bc0 = bits.RotateLeft64(t, 28)
 		t = a[9] ^ d4
-		bc1 = t<<20 | t>>(64-20)
+		bc1 = bits.RotateLeft64(t, 20)
 		a[5] = bc0 ^ (bc2 &^ bc1)
 		a[6] = bc1 ^ (bc3 &^ bc2)
 		a[7] = bc2 ^ (bc4 &^ bc3)
@@ -363,15 +365,15 @@ func keccakF1600(a *[25]uint64) {
 		a[9] = bc4 ^ (bc1 &^ bc0)
 
 		t = a[10] ^ d0
-		bc4 = t<<18 | t>>(64-18)
+		bc4 = bits.RotateLeft64(t, 18)
 		t = a[11] ^ d1
-		bc0 = t<<1 | t>>(64-1)
+		bc0 = bits.RotateLeft64(t, 1)
 		t = a[12] ^ d2
-		bc1 = t<<6 | t>>(64-6)
+		bc1 = bits.RotateLeft64(t, 6)
 		t = a[13] ^ d3
-		bc2 = t<<25 | t>>(64-25)
+		bc2 = bits.RotateLeft64(t, 25)
 		t = a[14] ^ d4
-		bc3 = t<<8 | t>>(64-8)
+		bc3 = bits.RotateLeft64(t, 8)
 		a[10] = bc0 ^ (bc2 &^ bc1)
 		a[11] = bc1 ^ (bc3 &^ bc2)
 		a[12] = bc2 ^ (bc4 &^ bc3)
@@ -379,15 +381,15 @@ func keccakF1600(a *[25]uint64) {
 		a[14] = bc4 ^ (bc1 &^ bc0)
 
 		t = a[15] ^ d0
-		bc1 = t<<36 | t>>(64-36)
+		bc1 = bits.RotateLeft64(t, 36)
 		t = a[16] ^ d1
-		bc2 = t<<10 | t>>(64-10)
+		bc2 = bits.RotateLeft64(t, 10)
 		t = a[17] ^ d2
-		bc3 = t<<15 | t>>(64-15)
+		bc3 = bits.RotateLeft64(t, 15)
 		t = a[18] ^ d3
-		bc4 = t<<56 | t>>(64-56)
+		bc4 = bits.RotateLeft64(t, 56)
 		t = a[19] ^ d4
-		bc0 = t<<27 | t>>(64-27)
+		bc0 = bits.RotateLeft64(t, 27)
 		a[15] = bc0 ^ (bc2 &^ bc1)
 		a[16] = bc1 ^ (bc3 &^ bc2)
 		a[17] = bc2 ^ (bc4 &^ bc3)
@@ -395,15 +397,15 @@ func keccakF1600(a *[25]uint64) {
 		a[19] = bc4 ^ (bc1 &^ bc0)
 
 		t = a[20] ^ d0
-		bc3 = t<<41 | t>>(64-41)
+		bc3 = bits.RotateLeft64(t, 41)
 		t = a[21] ^ d1
-		bc4 = t<<2 | t>>(64-2)
+		bc4 = bits.RotateLeft64(t, 2)
 		t = a[22] ^ d2
-		bc0 = t<<62 | t>>(64-62)
+		bc0 = bits.RotateLeft64(t, 62)
 		t = a[23] ^ d3
-		bc1 = t<<55 | t>>(64-55)
+		bc1 = bits.RotateLeft64(t, 55)
 		t = a[24] ^ d4
-		bc2 = t<<39 | t>>(64-39)
+		bc2 = bits.RotateLeft64(t, 39)
 		a[20] = bc0 ^ (bc2 &^ bc1)
 		a[21] = bc1 ^ (bc3 &^ bc2)
 		a[22] = bc2 ^ (bc4 &^ bc3)
diff --git a/twofish/twofish.go b/twofish/twofish.go
index 1197d75..e4eeae1 100644
--- a/twofish/twofish.go
+++ b/twofish/twofish.go
@@ -18,7 +18,10 @@ package twofish // import "golang.org/x/crypto/twofish"
 // LibTomCrypt is free for all purposes under the public domain.
 // It was heavily inspired by the go blowfish package.
 
-import "strconv"
+import (
+	"math/bits"
+	"strconv"
+)
 
 // BlockSize is the constant block size of Twofish.
 const BlockSize = 16
@@ -76,12 +79,12 @@ func NewCipher(key []byte) (*Cipher, error) {
 			tmp[j] = 2*i + 1
 		}
 		B := h(tmp[:], key, 1)
-		B = rol(B, 8)
+		B = bits.RotateLeft32(B, 8)
 
 		c.k[2*i] = A + B
 
 		// K[2i+1] = (A + 2B) <<< 9
-		c.k[2*i+1] = rol(2*B+A, 9)
+		c.k[2*i+1] = bits.RotateLeft32(2*B+A, 9)
 	}
 
 	// Calculate sboxes
@@ -129,16 +132,6 @@ func load32l(src []byte) uint32 {
 	return uint32(src[0]) | uint32(src[1])<<8 | uint32(src[2])<<16 | uint32(src[3])<<24
 }
 
-// rol returns x after a left circular rotation of y bits.
-func rol(x, y uint32) uint32 {
-	return (x << (y & 31)) | (x >> (32 - (y & 31)))
-}
-
-// ror returns x after a right circular rotation of y bits.
-func ror(x, y uint32) uint32 {
-	return (x >> (y & 31)) | (x << (32 - (y & 31)))
-}
-
 // The RS matrix. See [TWOFISH] 4.3
 var rs = [4][8]byte{
 	{0x01, 0xA4, 0x55, 0x87, 0x5A, 0x58, 0xDB, 0x9E},
@@ -282,13 +275,13 @@ func (c *Cipher) Encrypt(dst, src []byte) {
 		k := c.k[8+i*4 : 12+i*4]
 		t2 := S2[byte(ib)] ^ S3[byte(ib>>8)] ^ S4[byte(ib>>16)] ^ S1[byte(ib>>24)]
 		t1 := S1[byte(ia)] ^ S2[byte(ia>>8)] ^ S3[byte(ia>>16)] ^ S4[byte(ia>>24)] + t2
-		ic = ror(ic^(t1+k[0]), 1)
-		id = rol(id, 1) ^ (t2 + t1 + k[1])
+		ic = bits.RotateLeft32(ic^(t1+k[0]), -1)
+		id = bits.RotateLeft32(id, 1) ^ (t2 + t1 + k[1])
 
 		t2 = S2[byte(id)] ^ S3[byte(id>>8)] ^ S4[byte(id>>16)] ^ S1[byte(id>>24)]
 		t1 = S1[byte(ic)] ^ S2[byte(ic>>8)] ^ S3[byte(ic>>16)] ^ S4[byte(ic>>24)] + t2
-		ia = ror(ia^(t1+k[2]), 1)
-		ib = rol(ib, 1) ^ (t2 + t1 + k[3])
+		ia = bits.RotateLeft32(ia^(t1+k[2]), -1)
+		ib = bits.RotateLeft32(ib, 1) ^ (t2 + t1 + k[3])
 	}
 
 	// Output with "undo last swap"
@@ -326,13 +319,13 @@ func (c *Cipher) Decrypt(dst, src []byte) {
 		k := c.k[4+i*4 : 8+i*4]
 		t2 := S2[byte(id)] ^ S3[byte(id>>8)] ^ S4[byte(id>>16)] ^ S1[byte(id>>24)]
 		t1 := S1[byte(ic)] ^ S2[byte(ic>>8)] ^ S3[byte(ic>>16)] ^ S4[byte(ic>>24)] + t2
-		ia = rol(ia, 1) ^ (t1 + k[2])
-		ib = ror(ib^(t2+t1+k[3]), 1)
+		ia = bits.RotateLeft32(ia, 1) ^ (t1 + k[2])
+		ib = bits.RotateLeft32(ib^(t2+t1+k[3]), -1)
 
 		t2 = S2[byte(ib)] ^ S3[byte(ib>>8)] ^ S4[byte(ib>>16)] ^ S1[byte(ib>>24)]
 		t1 = S1[byte(ia)] ^ S2[byte(ia>>8)] ^ S3[byte(ia>>16)] ^ S4[byte(ia>>24)] + t2
-		ic = rol(ic, 1) ^ (t1 + k[0])
-		id = ror(id^(t2+t1+k[1]), 1)
+		ic = bits.RotateLeft32(ic, 1) ^ (t1 + k[0])
+		id = bits.RotateLeft32(id^(t2+t1+k[1]), -1)
 	}
 
 	// Undo pre-whitening