And might want to highlight that the comparision must be constant-
time, as otherwise the decapsulation will leak side-channel
information.
And even more seriously, it should be highlighted that innerEnc must
be free of side-channel leaks with respect to msg and seed (making it
side-channel free with respect to publicKey is not realistic), as it is
used in side-channel critical way in decapsulation. There exists pretty
simple way to implement the thing wrong to cause side channel leakage on
msg.
Ilari on CFRG list: