Everyone who uses Torchat runs as a hidden service. Essentially it is like Alice is a hidden service and Bob is a hidden service. When Alice communicates with Bob she sends her messages to his .onion address, and when Bob sends messages to Alice he sends them to her .onion address. This sort of hides the encryption being used from the user, because unlike GPG where you need to manage your keys and ciphertexts and such, you are just piggy backing on the encryption already provided by Tor. Torchat is sort of neat in that by having everyone run as a hidden service, there is no fixed middle point server that your communications go through (as compared to IRC for example). I have two primary issues with Torchat. The first issue I have with it is that I saw one of the Tor developers comment that the code is buggy. I have not audited the code myself so have no comment, but I am inclined to believe them. Torchat is not part of the Tor project. My biggest issue with Torchat is that everyone runs as a hidden service. Hidden services do not have as strong of anonymity as normal clients do. Everyone running as a hidden service is a Bad Idea, and this design choice is enough to make me suggest strongly against using Torchat. Additionally, it is not technically correct to say that Torchat has no key. It is just that the keys are managed by Tor, since Torchat provides encryption by piggy backing on Tor as I already mentioned. The real difference you guys are talking about is not so much between GPG and Torchat but rather between the general way that RSA is used and the general way that ECDH is used. The use model for RSA is generally that Alice and Bob each have a long term public/private keypair. When Alice wants to send Bob an encrypted message, she encrypts her plaintext with a symmetric algorithm, something like AES-256. The randomly generated key used to symmetrically encrypt the message to Bob is then asymmetrically encrypted with Bobs public key. Upon receiving the ciphertext, Bob enters his password to decrypt his symmetrically encrypted private key. He then uses his private key to decrypt the encrypted session key, and then uses the decrypted session key to decrypt the symmetrically encrypted ciphertext back into the plaintext. (EC)DH is generally used a bit differently. It is a secret sharing algorithm. Imagine Alice and Bob both have long term ECDSA keypairs. These are used for signing messages. Alice and Bob exchange public ECDSA keypairs so they can verify plaintexts from each other in the future. When Alice wants to send Bob an encrypted message, she generates an ephemeral ECDH keypair and sends the public key to Bob. Now Bob generates an ephemeral public keypair and sends his public key to Alice. Alice uses her ephemeral private key and Bobs public key to derive a shared secret, at which point she can securely overwrite her private and even public ephemeral keys. Now she uses her ECDSA private key to sign her plaintext. She then uses the shared secret to symmetrically encrypt the signed plaintext and then she sends it to Bob. Bob uses his ephemeral private key and Alice's ephemeral public key to derive a shared secret as well, and due to the properties of (EC)DH his secret will be the same as Alice's (it is a SHARED secret after all). Now Bob uses this secret to symmetrically decrypt the ciphertext, and then uses Alice's public ECDSA key to verify that Alice actually sent the message. He can then securely erase his public and private ephemeral ECDH key. New ephemeral ECDH keys are generated on a message by message basis. This is a cryptosystem that uses ECDH to achieve forward secrecy, which is a pretty common way of using ECDH, although the same thing can also be done with RSA and ECDH can also be used with long term non-ephemeral keypairs. So it isn't that there is no key, it is just that the key is deleted as soon as you are done with it. It isn't even really a fundamental difference between RSA and DH , it is just the way the systems that use these ciphers are generally constructed. OTR is one example of a system that uses DH in such a way. Tor is another.