Papers
Topics
Authors
Recent
Search
2000 character limit reached

Secret Random Oracle (SRO) Overview

Updated 10 July 2026
  • Secret Random Oracle (SRO) is a broad concept encompassing diverse randomness sources, including blockchain protocols, physical entropy devices, and corrected oracle instantiations.
  • It employs game-theoretic and cryptographic techniques to ensure outputs remain unpredictable and unbiased even under adversarial manipulation.
  • SRO mechanisms are vital for secure computations, smart contract randomness, and entropy seeding, balancing rigorous theory with practical system design.

Secret Random Oracle (SRO) is best understood, across the cited literature, as an umbrella designation rather than a single standardized primitive. The associated works treat several adjacent notions: a blockchain-native source of random bits that smart contracts can query while remaining unpredictable, unbiased, and resistant to manipulation; a physically embedded randomness oracle whose internal mechanism may be inaccessible and whose output is attributed to “gaps in the natural laws”; a random-oracle-style assumption whose power in secure computation is sharply bounded; a corrected oracle that remains usable after sparse adversarial subversion; a concrete instantiation characterized via algorithmic randomness; and an SRO-like entropy source for seeding a conventional CSPRNG (Chatterjee et al., 2019, Svozil, 2014, Mahmoody et al., 2012, Russell et al., 2024, Tadaki et al., 2013, Roig, 2018).

1. Conceptual scope

The phrase does not appear as a uniform technical term in all of the relevant papers. Instead, the literature supplies several domain-specific realizations of what an SRO-like object would need to provide: black-box access to outputs that are not known in advance, cannot be biased by an interested party, or are believed to arise from a source beyond effective prediction or inspection. The literature also suggests that “secret” enters in different ways: as physical inaccessibility, as unpredictability before revelation, as resistance to miners or oracle owners, or as an implementation-level opacity that a correction layer or an auditable software design attempts to overcome.

Domain SRO-like object Central issue
Blockchain On-chain random bit source Unbiasability under strategic manipulation
Physics Physical randomness oracle Whether “absolute randomness” exists
Secure computation Random-oracle-style assumption Limits of added cryptographic power
ROM instantiation Concrete oracle family Preserving security after instantiation
Oracle correction Public repair of a subverted oracle Recovering indifferentiability
Systems practice Entropy seeder Practical, auditable unpredictability

A common misconception is to equate every SRO-like object with the standard random oracle of provable cryptography. The cited work does not support that identification. In some settings, the target is a trustworthy randomness source for smart contracts; in others, it is a physical “box” allegedly driven by indeterministic events; elsewhere, it is an idealized function oracle whose usefulness, instantiability, or repair is the subject of formal analysis.

2. Blockchain-native realizations

In programmable blockchains, smart contracts are deterministic by design and therefore cannot natively sample randomness. The blockchain literature frames this as a concrete obstacle for lotteries, casino games, roulette, proof-of-stake leader selection, and DAO committee or voting selection. Naïve sources such as block hash, timestamp, external oracle services, ordinary commit-reveal with deposits, and RANDAO-like schemes are treated as manipulatable because miners, oracle owners, or strategic participants can bias outcomes through withholding, censorship, or selective revelation (Chatterjee et al., 2019).

The formal target is a secure on-chain randomness protocol that can be implemented as a smart contract, used as a library by other contracts, and not rely on the client to provide randomness. For a client request with fee oo, deadline tt, and value bound vv, the protocol is required to satisfy success, penalty, and failure conditions; the output bit should be uniform if at least one participant provides a uniform random input; anyone should be able to join as a participant; miners should not be able to influence output by block tampering or withholding; malicious participants should not be able to tamper with the output if the protocol succeeds; and each request should receive a fresh dedicated random bit. Because blockchain identities are pseudonymous and coalitions matter, the stability notion is quasi-strong Nash equilibrium.

The core mechanism is the Random Bit Generation game GG. If ii is even, Si={0,2}S_i=\{0,2\}; if ii is odd, Si={1,3}S_i=\{1,3\}. For outcome s=(s1,,sn)s=(s_1,\dots,s_n),

ui(s)=jf(si,sj),u_i(s)=\sum_j f(s_i,s_j),

where

tt0

Theorem 1 states that the only quasi-strong equilibrium is the mixed strategy profile

tt1

for all players tt2. This is the game-theoretic basis for making honest randomization the only coalition-proof behavior.

The Random Bit Generator Contract turns that equilibrium into an on-chain protocol. A client issues requestRandomBit with fee tt3, deadline tt4, and estimated value-at-risk tt5. Any participant may register by choosing a random bit tt6 and nonce tt7, computing

tt8

and submitting tt9, a deposit of vv0, and vv1. Before deadline vv2, registered participants reveal vv3; the contract verifies

vv4

and tracks the number of valid reveals and the counts vv5. The client’s fee is distributed according to the RBG utility. If vv6, then participant vv7’s reward is

vv8

The output bit is the XOR of all correctly revealed bits. The protocol returns success if all participants reveal correctly, penalty if some participant fails to reveal and confiscated deposits are paid to the client, and failure if nobody participates or nobody reveals.

The security intuition is economical as well as probabilistic. If at least one participant submits a uniformly random bit, then XOR with that bit makes the final output uniform. If a participant withholds or alters a reveal, the participant loses the deposit vv9, and the execution can downgrade from success to penalty. The resulting construction is presented as an on-chain approximation to a random-oracle query: the output is not “secret” because of cryptographic secrecy alone, but because the protocol structure makes strategic deviation unprofitable and output bias economically costly.

3. Physical randomness oracles and hidden physical sources

A different line of work studies “non-algorithmic oracles for randomness certified by physical principles,” described as physical “boxes containing allegedly indeterministic physical resources” and as oracles that rely on “gaps in the natural laws,” allowing “unlawful behaviour” to be exploited for random bit generation (Svozil, 2014). In this setting, secrecy is not a cryptographic definition but an accessibility claim: the source may be “secret” because its internal state or mechanism cannot be inspected, or because complementarity and value indefiniteness prevent hidden states from being exposed.

The paper treats determinism and complete indeterminism as metaphysical and “non-operational” positions, and argues that a physically meaningful randomness oracle would require observable gaps in the natural laws. Its explicit formulation is that “A necessary and sufficient condition for this is the existence of gaps in the natural laws…”. This frames the strongest version of an SRO-like device as one whose outputs are absolutely random rather than merely unpredictable due to ignorance.

Several mechanisms are proposed. One is spontaneous symmetry breaking or instability, illustrated by an unstable object balanced at a singular point and falling left or right after an arbitrarily small perturbation. Another is deterministic chaos, though that is treated as epistemic unpredictability rather than absolute indeterminism. The strongest candidate is a quantum beam splitter: a single quantum impinging on a GG0 beam splitter is transmitted or reflected with equal probability. Yet the paper emphasizes the tension between the measurement-level interpretation and the unitary description of the device, writing

GG1

This makes it “highly questionable” to regard a reversible unitary element as an “active element” of randomness.

The beam splitter is also modeled through Hadamard structure. A beam splitter with GG2 ports is represented by a normalized Hadamard matrix, with defining condition

GG3

The necessary condition for real Hadamard matrices is

GG4

Hadamard’s conjecture is therefore treated not as a randomness theorem but as a construction criterion for multiport equi-decompositions. The paper also links normalized real Hadamard matrices to mutually unbiased bases.

A further candidate source is the quantum vacuum. Spontaneous emission is presented as “creatio ex nihilo,” with the emitted photon serving as a possible random event. At the same time, the paper repeatedly stresses implementation limits: one may not be able to “screw open” the box; the microscopic theory may remain reversible while the observed event appears random; and converting single indeterministic events into a usable stream may require additional independence assumptions, for example when concentrating “diluted” indeterminism to Borel normality.

4. Random-oracle power and its limits in secure computation

In secure computation, the relevant question is not how to obtain random bits but how much extra power is conferred by a random-oracle-style assumption. For deterministic two-party secure function evaluation, the answer is sharply negative in the semi-honest setting and tightly bounded in the active setting (Mahmoody et al., 2012).

The formal setting studies deterministic two-party functions

GG5

The main theorem states: a deterministic two-party function GG6, with a polynomially large domain, has a semi-honest secure protocol against computationally unbounded adversaries in the random oracle model iff GG7 has a perfectly semi-honest secure protocol in the plain model. Equivalently, for semi-honest deterministic 2-party SFE, a random oracle adds no power at all beyond what is already possible in the plain model. The corresponding combinatorial notion is decomposability: constant functions are decomposable, and a function remains decomposable if it has an Alice-cut or Bob-cut whose restricted subfunctions are decomposable. An undecomposable function does not become semi-honestly realizable merely by adding a random oracle.

For active security, the conclusion is narrower but still restrictive. The paper proves that, for a deterministic finite two-party function GG8, statistically UC-secure and statistically standalone-secure SFE in the random oracle model are equivalent to the same notions in the commitment-hybrid model. In summary,

GG9

Thus a random oracle is useful only as much as access to an ideal commitment functionality is useful.

The proof machinery uses frontier analysis on protocol transcripts together with a public “eavesdropper” or independence learner ii0. The execution tree is augmented with Eve’s oracle queries, and frontiers ii1 and ii2 mark the first points at which significant information about Alice’s or Bob’s input is revealed. Conditioned on Eve’s view, Alice’s and Bob’s views become almost independent, and the proof argues that an undecomposable function would force contradictory frontier orderings. The paper therefore treats a strong SRO-style hidden oracle as unable to create new deterministic semi-honest secure functionalities, and, in the active setting, as useful exactly to the extent that it realizes commitment. It explicitly does not rule out help for randomized functionalities, functionalities with super-polynomial input domains, or other settings beyond deterministic two-party finite-domain SFE.

5. Instantiation, repair, and oracle integrity

One line of work asks whether the random oracle ideal can be instantiated by a concrete function while preserving a proof established in the random oracle model. The formalization uses an ii3-function

ii4

with ii5, and defines security both in the random oracle model and relative to a specific oracle family ii6. The key bridge is algorithmic randomness: the oracle family is encoded as an infinite binary sequence, and notions such as Martin-Löf randomness and Solovay randomness are applied to that sequence (Tadaki et al., 2013).

The central theorem for signature schemes, Theorem 4.10, states that if ii7 is EUF-ACMA secure in the random oracle model, then the following are equivalent: ii8 is EUF-ACMA secure relative to ii9; Si={0,2}S_i=\{0,2\}0 is Solovay random with respect to the relevant test class; and Si={0,2}S_i=\{0,2\}1 is Martin-Löf random with respect to the corresponding Martin-Löf test class. The paper also states that Martin-Löf random reals have measure Si={0,2}S_i=\{0,2\}2, so the set of oracle instantiations preserving EUF-ACMA security has Lebesgue measure Si={0,2}S_i=\{0,2\}3. Under the stronger notion of effective security, Theorem 5.3 proves that there exists a computable Si={0,2}S_i=\{0,2\}4-function Si={0,2}S_i=\{0,2\}5 such that Si={0,2}S_i=\{0,2\}6 remains effectively EUF-ACMA secure relative to Si={0,2}S_i=\{0,2\}7. The stated caveat is decisive: the resulting Si={0,2}S_i=\{0,2\}8 need not be polynomial-time computable.

A different problem is addressed by work on subverted implementations. Here the adversary replaces a true random oracle implementation Si={0,2}S_i=\{0,2\}9 by ii0, computed by a polynomial-time algorithm with oracle access to ii1, under the restriction that the subverted implementation disagrees with the original on only a negligible fraction of inputs: ii2 The correction uses public randomness ii3, sampled after ii4 is supplied and then made public and fixed. The corrected function is

ii5

The resulting security notion is crooked indifferentiability: even after designing ii6 and learning ii7, the adversary should not distinguish the corrected construction from a truly random function (Russell et al., 2024).

The main construction theorem states, in the paper’s notation, that if

ii8

then the corrected construction is indifferentiable from a random oracle ii9, with error

Si={1,3}S_i=\{1,3\}0

This shows that an SRO-like abstraction can be recovered even when the implementation is kleptographically corrupted, provided the corrupted region is sparse and the correction randomness is chosen only after subversion.

6. Systems-oriented SRO analogues

At the systems level, an SRO-like object appears not as an ideal function oracle but as an entropy source intended to seed a standard CSPRNG. SideRand is presented as a heuristic and prototype of a side-channel-based cryptographically secure random seeder that uses benchmark runtime variability rather than a dedicated hardware TRNG. Its final workflow is straightforward: choose a tiny fixed benchmark workload, run it repeatedly and measure elapsed time with a high-resolution timer, collect the resulting time samples, hash the full sample set with SHA-256, apply iterative hash stretching, and use the result to seed or complement a standard CSPRNG. The paper emphasizes two explicit criteria for trust: openness and auditability. The design goal is therefore not “absolute randomness” but a source that is hard to predict, not reducible to a simple deterministic cycle, and sufficiently rich to seed ordinary cryptographic expansion (Roig, 2018).

The paper’s empirical and heuristic claims are specific. Earlier prototypes failed or underperformed, while the acceptable prototypes reached about 99.92% passing rate, comparable to /dev/random and /dev/urandom under rngtest. The author reports thousands of unique runtime values per machine, one case with 142,703 unique values, and in a cluster of four identical servers only 2 overlaps among the top 500 runtime values from each machine. The conservative worst-case entropy model assumes only 20 possible values, treats those top values as roughly uniform, and uses 100 samples, yielding

Si={1,3}S_i=\{1,3\}1

and approximately

Si={1,3}S_i=\{1,3\}2

which is compared with the conservative target of 256 bits, namely

Si={1,3}S_i=\{1,3\}3

On mainstream Intel/AMD Linux systems, with scale = 2000, one run takes less than 0.1 seconds on average. The stated caveats are equally important: very low-resolution timers can make the method impractical; Windows with time.time()-like resolution around 16 ms performed poorly; the design remains a Python 3 prototype; and the entropy estimate is a conservative heuristic rather than a formal proof.

Taken together, these works show that an SRO may denote very different objects depending on context: an incentive-compatible on-chain randomness primitive, a physically inaccessible box grounded in alleged indeterminism, a random-oracle assumption whose utility can be formally delimited, a corrected oracle robust to sparse subversion, a computable instantiation selected via algorithmic randomness, or an open and auditable entropy seeder. What unifies them is not a single definition, but a recurring technical aspiration: black-box access to outputs that can be relied upon despite determinism, strategic manipulation, hidden implementations, or imperfect trust assumptions.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Secret Random Oracle (SRO).