Abstract: Given an arbitrary k-bit to k-bit trapdoor permutation f and a hash function, we exhibit an encryption scheme for which (i) any stringx of length slightly less than k bits can be encrypted as f(rx), where rx is a simple probabilistic encoding of x depending on the hash function; and (ii) the scheme can be proven semantically secure assuming the hash function is ``ideal.'' Moreover, a slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she ``knows'' the corresponding plaintexts---such a scheme is not only semantically secure but also non-malleable and secure against chosen-ciphertext attack.
In the case when f is RSA this OAEP scheme is used in SET (Secure Electronic Transactions, a standard for electronic payments being developed by Visa and MC) and is being considered for public key encryption standards.
Ref: Extended abstract in Advances in Cryptology - Eurocrypt 94 Proceedings, Lecture Notes in Computer Science Vol. 950, A. De Santis ed, Springer-Verlag, 1995. Full paper of revised version available below.
Full paper: Available as Available in Available in PostScript or gzipped PostScript or pdf
Rogaway's home page.