People have been scared of Rabin encryption because it has a chosen
ciphertext attack which reveals the key. The attacker needs to be able
to get the key holder to Rabin decrypt the encrypted session key, then
to tell him what the decrypted value was.
In normal circumstances this is unlikely to be a problem. If the
decryption of the ESK packet produces garbage, there is no reason to
send the decrypted garbage back to the attacker. As long as you just
destroy the garbage, you are OK.
Still I think there may be some fear about using an algorithm which has
this potential vulnerability.