Users can only leave the conversation if the server says they left the room.
== Sender keys and Ephemeral signing keys ==When a new user joins, she generates a new AES256 key (TBD: should users be able her "sender key") and Ed25519 key (her "signing key"). She then sends these keys to declare that they're leavingexisting members, or kick each other out?)encrypted under the "pairwise keys" from pairwise key agreements. This allows subsequent messages to be encrypted-and-signed once, instead of N times with pairwise keys.
== Sender keys ==When Every time a new user joins, she exchanges AES256 "sender keys" with existing members, encrypted under the "pairwise keys" from pairwise key agreements. This allows subsequent messages to be message is encrypted once or decrypted with a sender key, instead of N times with pairwise keys.the key is updated to provide forward secrecy:
Every time a message is encrypted or decrypted with a sender key, the key is updated as: sender_key = HMAC-SHA256(prev_sender_key, member_list"0") This provides forward secrecy and ensures new members can't decrypt messages prior to when they joined.
== Server order ==