Random Capability API Design

[indolering]

I have been fretting about the design of a randomness capability and its impact on languages and runtimes.  I'm currently thinking about modeling randomness, reproducibility, and determinism as distinct capabilities.

While evaluating adding alloc support to a Rust library, I realized that not being able to access randomness restricts the use of hash tables.  That's a lot of code to replace and the best compromise I can think of is to fallback to reproducible behavior: using a compile time salt and a per-process environmental salt specified by the runtime.

I believe this would prevent a DoS attack, as the attacker would need to know both the binary and the runtime salt.  Those who don't need to worry about DoS attacks can opt-in to strict determinism by zeroing out both values.

I was hoping someone could point me to prior art in this area.  Is there an essay on this somewhere? 

Thank you,

-Zach Lym