LLUMA.BODEGGA.NET
Technical whitepaper · v0.1 draft · 2026-07

How LLUMA keeps who you are apart from what you asked.

LLUMA is a torrent-style network for anonymous language-model inference. Identity and content are split across three mutually distrusting parties — a relay, a broker, and a serving host — and bound with standardized cryptography: RFC 9474 RSA blind signatures for unlinkable credit tokens, RFC 9458 Oblivious HTTP for identity-blind transport, and RFC 9180 HPKE for end-to-end prompt confidentiality. This page describes the threat model, request lifecycle, and cryptographic constructions — and states its own residual risks.

Read this first. For the volunteer Open tier described here, the serving host does see your prompt in plaintext — it simply cannot link that prompt to your identity or IP. This is unlinkability, not content-blindness. Host-blindness requires the Confidential (TEE) tier, which is designed but not yet built. The anonymity network is not deployed today (see §10).
  1. § 01System model & the privacy invariant
  2. § 02Threat model & trust assumptions
  3. § 03Architecture & roles
  4. § 04Request lifecycle
  5. § 05Cryptographic constructions
  6. § 06The unlinkability bridge
  7. § 07Contribution economy & Sybil resistance
  8. § 08Trust tiers
  9. § 09Known limitations & residual risks
  10. § 10Implementation status & roadmap

§ 01System model & the privacy invariant

The whole design serves one sentence: no single participant ever holds both “who you are” and “what you asked.” Identity (your IP, your account) and content (your prompt) are never present together in any one party’s view.

Everything is delivered through a point-and-click desktop application — a Rust core with a Tauri UI — with a Contribute side that turns hosting a model into a one-click action, and a Chat side that sends anonymous requests into the network. A request succeeds only when it completes end-to-end with no party holding both the originator’s IP and the prompt plaintext, and when repeated requests stay unlinkable to each other and to the user.

§ 02Threat model & trust assumptions

Parties are honest-but-curious individually and may collude pairwise, with one load-bearing exception noted below. The issuer is trusted for credit integrity but not for anonymity — blindness holds even against a malicious issuer.

CONSUMER RELAY BROKER HOST IP + capsule ciphertext + meta sealed prompt SEES: everything of its own SEES: your IP never the prompt SEES: routing meta never IP or prompt SEES: the prompt never who asked
FIG. 01 Trust boundaries across one request Identity is visible only at the relay; content opens only at the host. No party sees both.
PartyMay seeNever sees
RELAYoriginator IP, opaque ciphertextprompt · chosen host · account
BROKER / ISSUERrouting meta, ledger, blinded requestsIP · prompt · account↔token link
HOSTplaintext prompt, a valid tokenIP · account · other requests
TABLE 01 — What each party sees. Compromise of any one yields at most half a secret.
The one operational assumption (leak L1). The invariant is void if the relay (which sees IP) and the broker (which sees routing metadata) are run by the same party that logs. Cryptography cannot fix operational co-location. In the single-operator MVP the relay runs on a separate host with no shared logs; independent community relays arrive in Phase 3.

§ 03Architecture & roles

LLUMA torrents the model weights, but runs each inference whole-model on a single host. Cross-WAN sharding of one model across peers is out of scope — latency makes it slow and fragile.

RoleFunctionTrust
SEED / HOSTHolds weights; serves inference and seeds weight files to others.content, no identity
RELAYOblivious-HTTP relay; hides the originator’s IP from broker and host.identity, no content
BROKERTracker + matchmaker + credit accounting. Centralized in MVP.metadata only
ISSUERBlind-token station; converts credits into unlinkable tokens.blinded material only
TABLE 02 — Roles. The weight-distribution path is separate from the inference path and never carries prompts.

§ 04Request lifecycle

Nested encryption: the prompt is sealed end-to-end to the host inside an Oblivious HTTP capsule to the broker. The relay strips the IP; the broker routes on metadata it can read but cannot open the prompt; only the host decrypts it.

CONSUMER ISSUER RELAY BROKER HOST 1 · blinded token requests 2 · blind signatures (issuer sees only blobs) 3 · OHTTP capsule — relay sees IP, not prompt 4 · ciphertext + routing meta (no IP) 5 · verify token (public key), route 6 · response sealed to session key 7 · OHTTP response 8 · consumer opens both layers receipt credits the HOST — names no consumer
FIG. 02 One anonymous request, end to end Black = request path; red = response path. The receipt credits the host and names no consumer.
  1. Buy tokens out of band. The client blinds random nonces and the issuer blind-signs them, debiting the account. The issuer sees only blinded blobs.
  2. Seal the prompt. The prompt and a fresh session key are HPKE-sealed to the host, then wrapped in an OHTTP capsule to the broker; one token is attached.
  3. Relay strips identity. The relay forwards the capsule and routing metadata to the broker — without the IP it alone saw.
  4. Broker verifies and routes. The token is checked with the issuer’s public key; the host is matched by latency, load, and tier. The broker never opens the prompt.
  5. Host infers, responds, is credited. The host decrypts, runs inference, and streams a response sealed to the session key. A signed receipt credits the host — never the consumer.

§ 05Cryptographic constructions

All primitives are IETF-standardized (or Standards-Track drafts) with maintained, reviewed Rust implementations. No novel crypto.

LayerConstructionProperty relied on
Credit tokensRFC 9474 RSA blind sigsPerfect blinding + public verifiability
TransportRFC 9458 Oblivious HTTPRelay sees IP; broker sees metadata
End-to-endRFC 9180 HPKE (X25519 / ChaCha20-Poly1305)Only the host opens the prompt
SessionsEphemeral X25519, per requestRequests unlinkable to each other
IdentityEd25519 account + BLAKE3 handleContribution-side only; no PII
BackupBIP-39 seed + Argon2id / XChaCha20-Poly1305Self-custodial; no PII recovery
TABLE 03 — Primitive selection. Full rationale and parameters live in ADR-0001.

§ 06The unlinkability bridge

The one place the identified ledger touches anonymous spending is redemption — and it is exactly there that the link is cut.

ACCOUNT Ed25519 · credit balance IDENTIFIED BLIND SIGNING RFC 9474 bearer token bearer token bearer token ANONYMOUS blinded signed LINK SEVERED — no party can trace a spent token to the account
FIG. 03 Redemption severs account from spend RSA blinding is information-theoretically hiding: the issuer transcript fits every possible token set.

The issuer’s entire view of a redemption is the account key, the blinded blobs, and the blind signatures. Because RSA blinding is information-theoretically hiding, that transcript is equally consistent with every possible set of resulting tokens. When a token is later spent, no party — not even the issuer colluding with the broker and hosts — can trace it to the redeeming account. The guarantee is enforced by the shape of the API: verification accepts only an issuer public key and a token, so no function can express “consumer account + spendable token” in one place. Residual linkage is only statistical (timing, counts) — see L2 and L4.

§ 07Contribution economy & Sybil resistance

You contribute before you consume, tiered to your hardware. Accounting is anonymous by the same mechanism as spending.

Contribution produces signed receipts aggregated into a credit balance, spent by presenting blind tokens — so “who earned” and “who spent” cannot be correlated. Credits are non-transferable and redeemable only for your own inference: no trading, no fiat. Sybil resistance falls out of this — an account is a free keypair, so a fresh account is nearly worthless (a small trial grant only); a credited account requires burning real hosted, seeded, or donated compute. Identity is cheap; credited identity is expensive.

§ 08Trust tiers

Two tiers, honestly labeled, chosen per request.

TierExecutionHost seesGuarantee
OPENAny volunteer hostplaintext prompt, anonymous originUnlinkability — content not traceable to identity
CONFIDENTIALtier: tee — attested enclavesees: ciphertextUnlinkability + host-blindness (Phase 4)
TABLE 04 — What each tier promises. In LLUMA, “zero-knowledge” means TEE-attested and operator-blind — never FHE.

§ 09Known limitations & residual risks

A design that names its weaknesses is one you can evaluate. Each row is a place identity↔content could leak, and its mitigation.

#RiskMitigation
L1Relay + broker one operator with logs → invariant voidOperational separation; community relays (Phase 3)
L2Issuer key epochs partition the anonymity setOne global key/epoch, ≥30-day epochs, transparency log
L3Response-key reuse links requestsFresh per-request keypair by API construction
L4Timing/count correlation of redeem then spendBatched pre-fetch, spend buffering, coarse timestamps
L5PII-based recovery re-identifies the economyForbidden; self-custodial seed phrase only
L6Variable token denominations partition the setSingle denomination
L7Routing metadata as a fingerprintCoarse net-coordinates; low-cardinality model-id
L8Prompt bytes leaking into logs/errorsNo error variant embeds plaintext; enforced by test
TABLE 05 — Residual-risk register. Against a curious host the Open tier protects identity, not content.

§ 10Implementation status & roadmap

This is a design whitepaper. It describes the target architecture; the anonymity network is not deployed yet.

PhaseScopeStatus
0 — DogfoodDesktop app + local GGUF inference (llama.cpp)done, verified
1 — MVPRelay + broker + blind-token issuer + creditsin active design/build
2 — Torrent layerP2P content-addressed weight distributionplanned
3 — DecentralizeDHT tracker, multiple relays, gossip, canary auditsplanned
4 — HardeningConfidential (TEE) tier + attestation; wider clientsplanned
TABLE 06 — Progressive decentralization. Today: Phase 0 shipped; Phase 1 crypto foundation under construction.

References

RFC 9474 RSA Blind Signatures · RFC 9458 Oblivious HTTP · RFC 9180 HPKE · RFC 9576/9578 Privacy Pass · draft-ietf-ohai-chunked-ohttp · BIP-39 · crates: blind-rsa-signatures, ohttp, hpke, ed25519-dalek, argon2, chacha20poly1305, blake3.

$back to overview $top of paper