A peer-to-peer protocol for anonymous AI inference.
Break the link between who you are and what you ask.
Every prompt you send to an AI assistant is logged under your account, your payment method, your device. Over time, this creates a complete behavioral profile -- not because any single question is sensitive, but because years of questions from the same identity are. Trustchain introduces Peer2Prompt, a protocol that separates who asked from what was asked while preserving access to frontier models.
Read the Whitepaper | Why This Exists | The Protocol | Key Features | Contributing
The privacy problem with AI is not about content secrecy. It is about linkage.
"A question about a medical symptom" is low-value data. "A question about a medical symptom from a specific person, correlated with ten thousand other questions across three years" is a surveillance goldmine. Every major AI provider binds prompts to persistent identity by default. The result is trivial profile construction at full resolution -- time, content, identity, all linked.
Existing alternatives each fail in practice:
- Local models avoid remote logging but sacrifice capability, context length, and latency for most users.
- Cryptographic private inference (MPC, FHE, TEEs) is promising but not deployable at consumer scale today.
- Centralized privacy brokers can mediate access but create single points of legal and operational failure.
Trustchain takes a different path. Keep using frontier APIs. Route access through a censorship-resistant marketplace where identity and prompt are separated by protocol design.
Peer2Prompt combines three mature cryptographic ingredients into a new economic architecture:
Onion-routed multi-hop forwarding. Each inference request is wrapped in layers of encryption and forwarded through 2-3 relay nodes before reaching the exit. No single relay sees both the client's network identity and the cleartext prompt. Return paths use single-use reply blocks so the serving node never learns the client's address.
Ghost Nodes. The novel mechanism. API credential holders contribute their own provider keys and earn electronic cash by serving anonymous inference for others. The AI provider sees ordinary account traffic from the Ghost's credentials. The client gets frontier model access without revealing identity. Ghost Nodes create a market where privacy demand purchases model access from distributed credential owners -- no central privacy company required.
Chaumian ecash payments. Payments use Cashu-style blind signatures over Lightning. The mint issues tokens it cannot later link to specific spend events. Users fund wallets pseudonymously, spend tokens at Ghost Nodes, and the payment trail is broken at each step. Small, frequent, low-friction payments with weak identity coupling.
Serverless discovery. Peer coordination uses a Kademlia-style DHT. No central server for discovery, no company to subpoena, no single domain to seize. Nodes advertise capabilities through short-lived, signed advertisements tied to rotating epoch keys.
Client
|
| Enc_R1( next=R2, Enc_R2( next=R3, Enc_R3( next=Ghost, Enc_Ghost(prompt, reply_block))))
v
R1 -> R2 -> R3 -> Ghost -> AI Provider
The protocol does not claim perfect anonymity. A compromised Ghost can read the prompts it serves. Global traffic observers can correlate flows. Stylometric analysis can re-identify some users. The claim is weaker and practical: it raises the cost of surveillance from near-zero bulk profiling to targeted, expensive investigation.
| Frontier model access | Prompts forwarded verbatim to provider APIs -- no decomposition, no quality loss |
| Network unlinkability | No honest single node learns both requester identity and prompt content |
| No central authority | DHT-based discovery survives company failure or jurisdictional pressure |
| Ecash payments | Cashu blind signatures over Lightning -- payer and payee unlinkable |
| Open participation | Anyone can relay; API key holders become Ghost Nodes; GPU owners serve local models |
| Incentive-aligned | Ghost Nodes profit from honest service; users pay an anonymity premium that funds the network |
| Session compartmentalization | Sessions pinned to one Ghost with bounded context windows -- no cross-conversation linkage |
| GPU node competition | Open-source model operators compete on price, driving costs down over time |
The full technical specification is available in the docs/ directory:
- Peer2Prompt: A Peer-to-Peer Protocol for Anonymous AI Inference (PDF)
- Whitepaper source (Markdown)
- Typst source
- Brainstorm notes
- References
The paper covers system architecture, cryptographic packet construction, the ecash payment lifecycle, a five-tier threat model analysis, Ghost Node economics, and honest discussion of limitations including exit plaintext exposure, traffic analysis, and stylometric deanonymization.
This is a research-stage project. The whitepaper is open for review, critique, and extension.
Ways to contribute:
- Review the protocol -- Find holes in the threat model, challenge assumptions, suggest improvements.
- Formal analysis -- The security properties described are informal. Formal verification of route unlinkability or payment privacy would strengthen the work.
- Implementation exploration -- The paper includes an implementation sketch (Section 12). Early prototyping of the DHT, onion routing, or Cashu integration is welcome.
- Economic modeling -- Ghost Node incentive analysis would benefit from simulation under realistic market conditions.
Open an issue or submit a pull request.
This project is licensed under the MIT License.
Built by Boris Djordjevic at 199 Biotechnologies | Paperfoot AI