How LLUMA keeps who you are apart from what you asked.
LLUMA is a torrent-style network for anonymous language-model inference. Identity and content are split across three mutually distrusting parties — a relay, a broker, and a serving host — and bound with standardized cryptography: RFC 9474 RSA blind signatures for unlinkable credit tokens, RFC 9458 Oblivious HTTP for identity-blind transport, and RFC 9180 HPKE for end-to-end prompt confidentiality. This page describes the threat model, request lifecycle, and cryptographic constructions — and states its own residual risks.
- § 01System model & the privacy invariant
- § 02Threat model & trust assumptions
- § 03Architecture & roles
- § 04Request lifecycle
- § 05Cryptographic constructions
- § 06The unlinkability bridge
- § 07Contribution economy & Sybil resistance
- § 08Trust tiers
- § 09Known limitations & residual risks
- § 10Implementation status & roadmap
§ 01System model & the privacy invariant
The whole design serves one sentence: no single participant ever holds both “who you are” and “what you asked.” Identity (your IP, your account) and content (your prompt) are never present together in any one party’s view.
Everything is delivered through a point-and-click desktop application — a Rust core with a Tauri UI — with a Contribute side that turns hosting a model into a one-click action, and a Chat side that sends anonymous requests into the network. A request succeeds only when it completes end-to-end with no party holding both the originator’s IP and the prompt plaintext, and when repeated requests stay unlinkable to each other and to the user.
§ 02Threat model & trust assumptions
Parties are honest-but-curious individually and may collude pairwise, with one load-bearing exception noted below. The issuer is trusted for credit integrity but not for anonymity — blindness holds even against a malicious issuer.
| Party | May see | Never sees |
|---|---|---|
| RELAY | originator IP, opaque ciphertext | prompt · chosen host · account |
| BROKER / ISSUER | routing meta, ledger, blinded requests | IP · prompt · account↔token link |
| HOST | plaintext prompt, a valid token | IP · account · other requests |
§ 03Architecture & roles
LLUMA torrents the model weights, but runs each inference whole-model on a single host. Cross-WAN sharding of one model across peers is out of scope — latency makes it slow and fragile.
| Role | Function | Trust |
|---|---|---|
| SEED / HOST | Holds weights; serves inference and seeds weight files to others. | content, no identity |
| RELAY | Oblivious-HTTP relay; hides the originator’s IP from broker and host. | identity, no content |
| BROKER | Tracker + matchmaker + credit accounting. Centralized in MVP. | metadata only |
| ISSUER | Blind-token station; converts credits into unlinkable tokens. | blinded material only |
§ 04Request lifecycle
Nested encryption: the prompt is sealed end-to-end to the host inside an Oblivious HTTP capsule to the broker. The relay strips the IP; the broker routes on metadata it can read but cannot open the prompt; only the host decrypts it.
- Buy tokens out of band. The client blinds random nonces and the issuer blind-signs them, debiting the account. The issuer sees only blinded blobs.
- Seal the prompt. The prompt and a fresh session key are HPKE-sealed to the host, then wrapped in an OHTTP capsule to the broker; one token is attached.
- Relay strips identity. The relay forwards the capsule and routing metadata to the broker — without the IP it alone saw.
- Broker verifies and routes. The token is checked with the issuer’s public key; the host is matched by latency, load, and tier. The broker never opens the prompt.
- Host infers, responds, is credited. The host decrypts, runs inference, and streams a response sealed to the session key. A signed receipt credits the host — never the consumer.
§ 05Cryptographic constructions
All primitives are IETF-standardized (or Standards-Track drafts) with maintained, reviewed Rust implementations. No novel crypto.
| Layer | Construction | Property relied on |
|---|---|---|
| Credit tokens | RFC 9474 RSA blind sigs | Perfect blinding + public verifiability |
| Transport | RFC 9458 Oblivious HTTP | Relay sees IP; broker sees metadata |
| End-to-end | RFC 9180 HPKE (X25519 / ChaCha20-Poly1305) | Only the host opens the prompt |
| Sessions | Ephemeral X25519, per request | Requests unlinkable to each other |
| Identity | Ed25519 account + BLAKE3 handle | Contribution-side only; no PII |
| Backup | BIP-39 seed + Argon2id / XChaCha20-Poly1305 | Self-custodial; no PII recovery |
§ 06The unlinkability bridge
The one place the identified ledger touches anonymous spending is redemption — and it is exactly there that the link is cut.
The issuer’s entire view of a redemption is the account key, the blinded blobs, and the blind signatures. Because RSA blinding is information-theoretically hiding, that transcript is equally consistent with every possible set of resulting tokens. When a token is later spent, no party — not even the issuer colluding with the broker and hosts — can trace it to the redeeming account. The guarantee is enforced by the shape of the API: verification accepts only an issuer public key and a token, so no function can express “consumer account + spendable token” in one place. Residual linkage is only statistical (timing, counts) — see L2 and L4.
§ 07Contribution economy & Sybil resistance
You contribute before you consume, tiered to your hardware. Accounting is anonymous by the same mechanism as spending.
Contribution produces signed receipts aggregated into a credit balance, spent by presenting blind tokens — so “who earned” and “who spent” cannot be correlated. Credits are non-transferable and redeemable only for your own inference: no trading, no fiat. Sybil resistance falls out of this — an account is a free keypair, so a fresh account is nearly worthless (a small trial grant only); a credited account requires burning real hosted, seeded, or donated compute. Identity is cheap; credited identity is expensive.
§ 08Trust tiers
Two tiers, honestly labeled, chosen per request.
| Tier | Execution | Host sees | Guarantee |
|---|---|---|---|
| OPEN | Any volunteer host | plaintext prompt, anonymous origin | Unlinkability — content not traceable to identity |
| CONFIDENTIAL | tier: tee — attested enclave | sees: ciphertext | Unlinkability + host-blindness (Phase 4) |
§ 09Known limitations & residual risks
A design that names its weaknesses is one you can evaluate. Each row is a place identity↔content could leak, and its mitigation.
| # | Risk | Mitigation |
|---|---|---|
| L1 | Relay + broker one operator with logs → invariant void | Operational separation; community relays (Phase 3) |
| L2 | Issuer key epochs partition the anonymity set | One global key/epoch, ≥30-day epochs, transparency log |
| L3 | Response-key reuse links requests | Fresh per-request keypair by API construction |
| L4 | Timing/count correlation of redeem then spend | Batched pre-fetch, spend buffering, coarse timestamps |
| L5 | PII-based recovery re-identifies the economy | Forbidden; self-custodial seed phrase only |
| L6 | Variable token denominations partition the set | Single denomination |
| L7 | Routing metadata as a fingerprint | Coarse net-coordinates; low-cardinality model-id |
| L8 | Prompt bytes leaking into logs/errors | No error variant embeds plaintext; enforced by test |
§ 10Implementation status & roadmap
This is a design whitepaper. It describes the target architecture; the anonymity network is not deployed yet.
| Phase | Scope | Status |
|---|---|---|
| 0 — Dogfood | Desktop app + local GGUF inference (llama.cpp) | done, verified |
| 1 — MVP | Relay + broker + blind-token issuer + credits | in active design/build |
| 2 — Torrent layer | P2P content-addressed weight distribution | planned |
| 3 — Decentralize | DHT tracker, multiple relays, gossip, canary audits | planned |
| 4 — Hardening | Confidential (TEE) tier + attestation; wider clients | planned |