Binding encryption provides an effective way to broadcast a secret to an authorized group of users, which guarantees decryption consistency, i.e., that all users can obtain the same message without any interaction among them. In this paper, we first give the definition of security of a binding encryption, and then construct a primitive that achieves security against chosen plaintext attacks (CPA) and decryption consistency. This primitive is derived from a CPA-secure public-key encryption (PKE) scheme. Then, we present several transformations of binding encryption, which ensure some advanced security requirements such as anonymity, strong decryption consistency, and non-malleability.(1) Negative results that: (a) A CCA (chosen-ciphertext attack) secure PKE does not imply a CCA-secure multi-receiver encryption (ME) or binding encryption; (b) an anonymous CPA-secure PKE implies an anonymous ME but does not imply any anonymous binding encryption; (c) a CCA-secure anonymous PKE does not imply a CCA-secure anonymous ME or anonymous binding encryption.(2) A generic construction for a binding encryption that: (a) Uses CPA-secure PKE and symmetric encryption to construct a CPA-secure ME; (b) uses a CPA-secure ME and a polynomially verifiable function to construct a CPAsecure binding encryption. (3) Three transformations from (anonymous) CCA-secure PKE to (anonymous) CCA-secure binding encryption: the first one is based on a strong one-time signature, the second one is derived from a trapdoor pseudo-random function, while the third one is based on (information-theoretically secure) cover-free families, and hence it does not require any additional computational assumptions.