Implementation of a leakage-resilient ElGamal key encapsulation mechanism

Table 1 CCmLA1 security experiment for KEM

KEM-CCmLA1$_{\mathsf {KEM}}(\mathcal {A},\kappa ,\lambda )$	KEM-Leak-Oracle $O^{\text {CCmLA1}}(C,f_{i},h_{i})$
$(pk,(\sigma _{0},\sigma '_{0}))\leftarrow \mathsf {KG}\left( \kappa ,\lambda \right) $
$ i:=1$, $w\leftarrow \mathcal {A}^{O^{\text {CCmLA1}}(\cdot )}\left( pk\right) $	$(\sigma _{i},w_{i})\overset{r_{i}}{\leftarrow }\mathsf {Dec1}(\sigma _{i-\text {1}},C)$
$b\overset{\$}{\leftarrow }\left\{ 0,1\right\} $	$ (\sigma '_{i},K)\overset{r'_{i}}{\leftarrow }\mathsf {Dec2}(\sigma '_{i-\text {1}},w_{i})$
$\left( C,K_{0}\right) \leftarrow \mathsf {Enc}\left( pk\right) $	$\Lambda _{i}:=f_{i}(\sigma _{i-1},r_{i})$
$ K_{1}\overset{\$}{\leftarrow }\mathcal {K}$	$ \Lambda '_{i}:=h_{i}(\sigma '_{i-1},r'_{i},w_{i})$
$b'\leftarrow \mathcal {A}\left( w,CK_{b}\right) $	$i:=i+1$
	Return $(K,\Lambda _{i},\Lambda '_{i})$

KEM-CCmLA1\(_{\mathsf {KEM}}(\mathcal {A},\kappa ,\lambda )\)	KEM-Leak-Oracle \(O^{\text {CCmLA1}}(C,f_{i},h_{i})\)
\((pk,(\sigma _{0},\sigma '_{0}))\leftarrow \mathsf {KG}\left( \kappa ,\lambda \right) \)
\( i:=1\), \(w\leftarrow \mathcal {A}^{O^{\text {CCmLA1}}(\cdot )}\left( pk\right) \)	\((\sigma _{i},w_{i})\overset{r_{i}}{\leftarrow }\mathsf {Dec1}(\sigma _{i-\text {1}},C)\)
\(b\overset{\$}{\leftarrow }\left\{ 0,1\right\} \)	\( (\sigma '_{i},K)\overset{r'_{i}}{\leftarrow }\mathsf {Dec2}(\sigma '_{i-\text {1}},w_{i})\)
\(\left( C,K_{0}\right) \leftarrow \mathsf {Enc}\left( pk\right) \)	\(\Lambda _{i}:=f_{i}(\sigma _{i-1},r_{i})\)
\( K_{1}\overset{\$}{\leftarrow }\mathcal {K}\)	\( \Lambda '_{i}:=h_{i}(\sigma '_{i-1},r'_{i},w_{i})\)
\(b'\leftarrow \mathcal {A}\left( w,CK_{b}\right) \)	\(i:=i+1\)
	Return \((K,\Lambda _{i},\Lambda '_{i})\)