sender_key = HMAC-SHA256(prev_sender_key, "0")
== Server order ==
All clients see the same message order from the server. All messages are sent to all users. Aside from the presence messages sent by the server, messages are sent by users.
All messages in a room have a unique sequence number (0, 1, ...). Sequence numbers are implicit, as the server may not be aware of them (e.g. XMPP MUC).
A new user synchronizes his view of sequence numbers via the QUERY / MEMBER_LIST messages (see below).
== Causal order ==
Some user-sent messages specify a "parent" sequence number which is the last message the user received before sending it. Note:
* If Alice sends messages (A,B) in a row, A will not be B's parent unless Alice waits till A is received back from the server.
* The parent of a message is different from the "previous" message in the server's ordering, e.g. in a "simultaneous send" case two messages will have the same parent.
Due to server ordering, the sender of message i must have seen all
messages from 0...i's parent. Thus, every user-sent message i has a membership set, determined by the JOIN / USER_LEFT messages from 0...i's parent.
== Transcript hashes ==
Encrypted messages include a "transcript hash" of their parent and all prior messages as "additional authenticated data".
The hash also covers the sender_key for DATA messages (set to zeros for all other messages):
H(parent) = SHA256(sender_key[parent] || msg[parent] || H(parent-1))
== Timing ==