When a new user joins, she generates a new AES256 key (her "sender key") and Ed25519 key (her "signing key"). She then sends these keys to existing members, encrypted under the "pairwise keys" from pairwise key agreements. This allows subsequent messages to be encrypted-and-signed once, instead of N times with pairwise keys.
Every time a message is encrypted or decrypted with a sender key, the key is afterwards updated to provide forward secrecy:
sender_key = HMAC-SHA256(prev_sender_key, "0")
== Server order ==
All clients see the same message order from the server. All messages are sent to all users. Aside from the presence messages sent by the server, messages are sent by users.
All messages in a room have a unique sequence number (0, 1, ...). Sequence numbers are implicit, as the server may not be aware of them (e.g. XMPP MUC).
A new user synchronizes his view of sequence numbers via the QUERY / MEMBER_LIST messages (see below).
== Causal order ==
Every user-sent message specifies a "parent" sequence number which is the last message the user received before sending it. Note:
* If Alice sends messages (A,B) in a row, A will not be B's parent unless Alice waits till A is received back from the server.
* The parent of a message is different from the "previous" message in the server's ordering, e.g. in a "simultaneous send" case two messages will have the same parent.
Due to server ordering, the sender of message i must have seen all
messages from 0...i's parent. Thus, every user-sent message i has a membership set, determined by the JOIN / USER_LEFT messages from 0...i's parent.
== Transcript hashes ==
Every message specifies its parent's sequence number. Some messages also specify a transcript hash of that parent and all prior messages. The hash also covers the sender_key for each message (set to zeros for cleartext messages):
H(parent) = SHA256(sender_key[parent] || ciphertext[parent] || H(parent-1))
== Timing ==
* Contains the sequence number and nonce of the QUERY it's responding to
* Contains the transcript hash for the QUERY
* Contains a certificate for each member at the time as of the QUERY
=== JOIN ===
* Contains a certificate for the new member
* Contains the sequence number of the MEMBER_LIST it's responding to
=== CONFIRM ===
=== DATA ===
* Encrypted under the sender's "sender key"
* Ed25519 signature from the sender's ephemeral public signing key
* Contains the sequence number for its parent
* The transcript hash and membership of its parent is included as "additional authenticated data"