Replace unbounded NonceMap with bounded NonceWindow#357
Merged
0pcom merged 1 commit intoskycoin:developfrom Mar 30, 2026
Merged
Replace unbounded NonceMap with bounded NonceWindow#3570pcom merged 1 commit intoskycoin:developfrom
0pcom merged 1 commit intoskycoin:developfrom
Conversation
The NonceMap (map[uint64]struct{}) grew forever on long-lived sessions,
accumulating one entry per decrypted message. For the setup-node
handling thousands of streams, this leaked megabytes of memory over time.
Replace with NonceWindow: a sliding window using a 1024-bit bitmap
(128 bytes) that tracks the highest nonce seen and the last 1024 nonces
for out-of-order replay detection. Memory usage is constant regardless
of session lifetime.
Since the transport is reliable (TCP via yamux/smux), nonces arrive
mostly in order, so a 1024-entry window is more than sufficient.
Nonces older than the window are rejected as replays.
The old NonceMap and DecryptWithNonceMap are kept but deprecated for
backward compatibility.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The NonceMap (map[uint64]struct{}) grew forever on long-lived sessions, accumulating one entry per decrypted message. For the setup-node handling thousands of streams, this leaked megabytes of memory over time.
Replace with NonceWindow: a sliding window using a 1024-bit bitmap (128 bytes) that tracks the highest nonce seen and the last 1024 nonces for out-of-order replay detection. Memory usage is constant regardless of session lifetime.
Since the transport is reliable (TCP via yamux/smux), nonces arrive mostly in order, so a 1024-entry window is more than sufficient. Nonces older than the window are rejected as replays.
The old NonceMap and DecryptWithNonceMap are kept but deprecated for backward compatibility.