So the answer is we need 63 bits to ensure this probability is less than one-half.
And the way to think about this is assuming the uniform distribution
of our ideal hash function, every time the probability that one guess maps to H
is 1 over the number of bits, or 2 to the negative b.
We'll use b to represent the number of bits.
So with our random oracle model, for any given guess the probability
that it hashes to a particular value is 2 to the negative b.
The probability a guess is bad is 1 minus that.
And now over a series of guess, the probability that they're all bad
is that raised to the number of guesses power.
And we've said that k is equal to the number of guesses here,
which we said was 2 to the 62, and we can solve 1 minus 2 to the negative 62
to the 2 to the 62.
That's equal to approximately 0.63.
There are lots of ways to solve this.
You could try computing this in Python.
These numbers get pretty big.
The easiest way to solve this is to just plug this into Wolfram-Alpha.
There are also, certainly, mathematical things you could do
to get this equation in a simpler form,
but since we just want the answer, it's easier to just try plugging in some numbers.
If we increase the number of bits by 1,
that means the probability for each guess being bad increases to 1 minus 2 to the negative 63,
and that turns out to be 0.39.
That means 63 is the fewest number of bits to provide
the attacker with less than a 50% chance of finding a pre-image
that maps to the same hash value
in 2 to the 62 guesses.
