Having access to a private key lets you decrypt all messages encrypted with its corresponding public key. Public key cryptography is rendered useless if the attacker gains access to your private key. I will agree that it doesn't necessarily mean that the attacker can decrypt all of your messages, first they need to obtain the ciphertexts in the first place. But I do mean that it renders it entirely fucking pointless to have used asymmetric crypto in the first place, if your attacker has access to your private key. You are then banking on the attacker not being able to intercept your messages, but in the case that they do intercept your message, you may as well have not even used asymmetric cryptography in the first place. Thus it is stupid to claim that an attacker having your private key is useless, an attacker having your private key renders cryptography entirely useless and changes the problem to one of server security or some such thing, assuming encrypted links , without which the attacker could use a wiretap to spy on the information in transit. You are essentially arguing against using asymmetric cryptography for messages and rather only for links, with the security for messages coming from server hardening. Server hardening is important, but it is not nearly as important as asymmetric cryptography for encryption of stored communications at the rendezvous server, which is cryptographically secure and not something that is compromised on a regular basis, unlike server hardening. Essentially your claim is reduced to saying that people on SR shouldn't use GPG, but rather should hope that DPR is trustworthy and has perfectly hardened the server. 2^128 is an astronomical number. 2^256 is an astronomical number. There are NO WHERE near 2^128 GPG encrypted messages. Also, your system would involve a concentration of ciphertexts at a server, testing every ciphertext on that server with every private key wouldn't take much time at all. Even if the attacker cannot link a private key to a specific person, after they quickly find the messages that the key can decrypt, they will be able to select targets based on the contents of the communications. What you are arguing sounds a lot like security via obscurity actually, rather than security via the cryptographic system (rendered null by the attacker having the private key), you are saying people should rely on security via the obscurity of their ciphertexts. Anyone with a masters degree in cryptography would recognize that this is ludicrous. Really they would be worthless? Because they cannot test them against each of the ciphertexts on your server until they find the ciphertexts they can decrypt? Actually GPG ciphertexts usually have key ID embedded in them so they don't even need to brute force decrypt the messages they can look for the messages that are encrypted to the key ID that they have by virtue of having the private key. Shouldn't someone with a masters degree in cryptography know this? Pretty easy to tell if a message is encrypted with a corresponding key considering that by default GPG ciphertexts have key ID they are encrypted to embedded in them. I guess your server side implementation of GPG could always use --throw-keyids , but it is still just a matter of brute force decrypting messages. Unless you have 2^128 ciphertexts on your server, that seems like it will not be very good to rely on. Also, are we still assuming that you, the most trustworthy person in the world, are to be the keeper of the private keys? So since it is your server, doesn't that mean you also have access to all the message ciphertexts? Do you really expect us to believe that you cannot brute force ciphertexts until you find the private key that decrypts them? Anyway, how do you even plan to separate the keys from the messages while still managing server side encryption? Also, if an attacker can hack into your server and steal private keys, do you think they cannot hack into your server and steal message ciphertexts? Anyway it sounds like you are still arguing for security via server hardening rather than security via asymmetric cryptography. So your system doesn't hold ciphertexts, but only encrypts data for transit on other servers, like SR? Well let's see, you advertise your service on SR and it will likely be used by a largely SR audience. Now if LE pwn SR and get ciphertexts, they only need to pwn your server and get private keys and then try them against ciphertexts until they find ones that decrypt into intelligible things. Easy to do, and without 2^128 messages to go through, far easier than trying to directly attack the ciphertexts without the "useless" private keys. The full point of using asymmetric crypto to protect messages on SR is to protect yourself in the event that SR server falls into the hands of the authorities, so the full point of using it is to make it so you DON'T have bigger problems if the server is hacked/pwnt/seized. Once again, it sounds like you argue for security of communications via server hardening and link encryption, rather than end to end asymmetric cryptography. This is widely known as being a far inferior method of trying to protect communications, so it seems strange someone with a masters degree in cryptography would advocate for it. I highly doubt that you have a masters degree in cryptography, or you would not say such stupid shit as it doesn't matter if the attacker has your private key.