Users can only leave the conversation if the server says they left the room.
== Sender keys and Ephemeral signing Signing keys ==
When a new user joins, she generates a new AES256 key (her "sender key") and Ed25519 key (her "signing key"). She then sends these keys to existing members, encrypted under the "pairwise keys" from pairwise key agreements. This allows subsequent messages to be encrypted-and-signed once, instead of N times with pairwise keys.
=== JOIN ===
* Lists the certificate for the new member
* Contains CONFIRM messages for each member of its parent
== Encrypted messages ==
=== CONFIRM ===
* Encrypts-and-confirms an AES256 "sender key" and Ed25519 "signing key" from one member to another
* Uses pairwise TripleDH between sender and recipient keys, i.e.
HASH( DH(A_id, B_eph) || DH(A_eph, B_id) || DH(A_eph, B_eph) )