One thing that occurs to me: suppose I go to control, collect cancel messages, and build myself a collection of M1's that will work with a given M2?

That is, I can't actually invert the hashing function. But if a given hash function is standard, then I can eventually build up a collection of M1s for M2s that will let me cancel quite a few things I may want to. How many cancel messages come through in a day?

You would have to collect quite a few cancels just to get one pair of valid hashes for a message you want to cancel... You don't even need to collect cancels from control; you could just start hashing 128-bit strings until you got one that hashed to M2. The catch is you would have to hash on the order of 2^64 strings for MD5, for instance. That's a lot of hashing to cancel one article... It's likely going to be much less work to try to guess the passphrase used to generate M1. There is also a better than average chance that the target used the same passphrase to lock multiple posts... andrew