Because Oscur0 starts with 0-RTT data lacking a full handshake, the station-side connection establishment is vulnerable to replay attacks. Oscur0 mitigates this by including a random 10-byte nonce in the encrypted application data of the first packet; the station checks each arriving nonce against a bloom filter of recently-seen IDs and drops duplicate connections, preventing replay without requiring a full round-trip handshake.
From 2024-chen-extended — Extended Abstract: Oscur0: One-shot Circumvention without Registration
· §3 Design
· 2024
· Free and Open Communications on the Internet
Implications
Any 0-RTT or registration-free design must include a server-side replay cache (bloom filter or similar) keyed on a per-packet nonce to prevent censors or adversaries from replaying captured first packets to probe or fingerprint the station.
Size the bloom filter conservatively for the expected connection rate and rotate it on a time window aligned to the nonce timestamp field, balancing replay protection against memory overhead.