Token-controlled public key encryption (TCPKE) schemes, introduced in [1], offer many possibilities of application in financial or legal scenarios. Roughly speaking, in a TCPKE scheme messages are encrypted by using a public key together with a secret token, in such a way that the receiver is not able to decrypt this ciphertext until the token is published or released. The communication overhead for releasing the token is small in comparison with the ciphertext size. However, the fact that the same ciphertext could decrypt to different messages under different tokens was not addressed in the original work. In our opinion this is an essential security property that limits the use of this primitive in practice. In this work, we formalize this natural security goal and show that the schemes in [1] are insecure under this notion. In the second place, we propose a very simple and efficient generic construction of TCPKE schemes, starting from any trapdoor partial oneway function. This co...