Show HN: LLMTor – Access Public LLMs anonymously using blind signatures and Tor
llmtor.comHi HN!
I’ve built LLMTor, a software that allows you to access public LLMs like ChatGPT such that even the server operator cannot tell which prompt was sent by which user.
I was motivated by an old sam altman interview (https://x.com/rohanpaul_ai/status/1949502746492535282), where he mentioned that LLM providers are required to break user privacy if needed (and this can probably be done for selling ads as well).
Local LLMs are the gold standard for privacy, but you lose access to frontier models, and get overhead of self hosting. But if you use public LLMs like ChatGPT, they will always know the plaintext prompt and responses.
So I settled on a middle ground, where I break the link between the user identity and the prompt contents.
LLMTor sits as a proxy between users and upstream LLM providers. It uses blind RSA signatures (RFC 9474) to issue tokens that can later be redeemed for LLM access anonymously over Tor.
Here’s an interactive demo of the protocol: https://api.llmtor.com/demo TL;DR: 1. User buys credits and obtains tokens signed via blind RSA (identity known to server) 2. The server cannot link the signed token back to the user (blind signature unlinkability) 3. User redeems token + prompt over Tor (identity unknown to server)
Links Website: https://llmtor.com GitHub: https://github.com/prince776/LLM-Tor Whitepaper: https://llmtor.com/whitepaper.pdf
Would love feedback on the protocol, implementation, or anything else. Hi, Maker here — wanted to address the abuse/moderation angle since I know it'll come up. 1. Moderation.
For legal reasons, the proxy itself also has to do moderation, which technically increases the surface area of prompt exposure, but naturally, it still remains decoupled from identity. 2. Abuse handling
Since the blindrsa tokens are blind, banning abusing users (which is generally a requirement for hosting such a service) is required. So to do so, I have to dial down the privacy a bit, and attach 1 blindrsa token permanently to the user (naturally server wouldn't know which user has which perm token). If server detects too many abusive usages from same psuedoanonymous token, it can ban it. (i have another monthly token, that rotates to avoid this token being stolen problem)