What is 0-RTT

0-RTT (zero round-trip time) lets a client send application data immediately on reconnection without waiting for a handshake to complete — eliminating the latency of that initial exchange entirely.

How does it work?

When a client connects to a server for the first time using QUIC or TLS 1.3, the server sends back a pre-shared key (PSK) along with the handshake. The client stores this key locally. On the next connection to the same server, the client encrypts its first message using the stored key and sends it alongside the handshake — no waiting required.

In a normal handshake, the client sends a hello, waits for the server's response, then sends data. That's at least one round trip before any useful work happens. With 0-RTT, the data rides with the very first packet.

What is the replay attack tradeoff?

0-RTT data cannot be fully protected against replay attacks. An attacker who captures a 0-RTT packet can resend it to the server, and the server might process it again. This is a fundamental limitation — the server hasn't had a chance to generate a unique challenge yet.

This means 0-RTT is safe for idempotent requests (like loading a webpage) but dangerous for non-idempotent ones (like submitting a payment). Servers must decide which requests to accept as 0-RTT and reject or deduplicate the rest.

When is it useful?

0-RTT matters most on high-latency connections. On a 200ms satellite link, saving one round trip means the page starts loading 200ms sooner. On a fast fiber connection, the savings are smaller but still measurable. Mobile users reconnecting after switching networks benefit the most — they're reconnecting to a server they've already talked to, which is exactly the case 0-RTT was designed for.

Why it matters

0-RTT is one of the key performance features that makes QUIC faster than TCP + TLS for returning visitors. It trades a narrow security guarantee (replay protection) for a significant latency improvement on reconnection.