@Cole I've thought about a ratchet, but a group ratchet is a lot more complicated, especially when someone might post with an out of date key. I think I'll just implement a simple version first. I think that will still be useful for large groups - were the private group is just a bit more of a fence, so you can do your own thing inside, than about preventing anything ever getting out at all costs.

Okay, I looked up how matrix does it... it uses megolm unfortunately the properties are not particularily impressive. The "ratchet" is essentially just updating the key=hash(key) (it's more complicated than that, but I don't think it changes this property). That means it has a lack of backward secrecy if you leak someone a key, they can still read all future messages. Also, if you plan to leak something, you could just save the oldest key you have... So it doesn't really gain much from all this ratcheting.

Matrix does use the heavy-duty encryption to protect content within a chat room - but it doesn't hide who is in the room!. I think the this metadata is actually somewhat more important than the content. That is one big thing ssb private messages do have - who is in the group is quite well hidden.