Looking for a very fast key agreement system



Hi,

I'm looking for a secure and performant key agreement system.
By secure I mean it must have pretty much the same properties than PGP
has
By efficient, I mean that on the receiving side, it must cost about
that same as an RSA signature verification operation.

- There is one recipient, many senders.
- The senders have a lot of processing power and storage. The recipient
has limited processing power and very limited storage.
- The communication is one way only: the recipient cannot communicate
with the sender.

I have 3 systems that would almost work but do not quite:

A) RSA : sender choose a random session key, encrypt it with recipient
public RSA key. Recipient decrypt with its private key.
B) Half Ephemeral DH: Recipient has private key a and public key g^b.
Sender choose b, the ephemeral private key, calculate session key is
(g^a)^b and sends public key g^b to recipient. Recipient calculate
session key (g^b)^a
C) AES with shared secret key. Recipient has a private AES key K.
Sender has a public key S. Recipient generate sender private key by
encrypting S with K, and send it to Sender. For each session the sender
sends its public key, the Sender private key is the session key. The
recipient recalculate the session key everytime.

The problem with A and B is that it is not efficient enough: they both
require an expensive exponentiation. If there was a Public key
encryption algorithm where the private key operation is inexpensive
that would work very well.

C satisfies performance requirement, as well as storage (the Senders
private keys are not
stored by the recipient) but has drwabacks:
- it does require a one time communication from recipient to sender
- the sender has to store a private key (it doesnt need to with RSA and
DH)
- the session key is always the same.

I'm thinking this last point could be mitigated by having the sender
generate send a public session key along with it public key S, the
session key being the public session key encrypted with the sender
private key. (Lets call that system D )

So have several questions:
1) Is there any other systems that would satisfie all my needs
2) Is system C a known system ?
3) Is system D really better than C ?

Thanks

.