The next thing we're going to look at
is how big does the hash output need to be
to provide the properties we need?
So first let's just consider a weak collision resistance.
So the question is assuming that our attacker has just enough computing power
to perform 2 to the 62 hashes, how many bits should our ideal hash function--and
we're assuming now that we have an ideal hash function that provides a perfect
uniform distribution on the outputs--to provide weak collision resistance?
And to formalize what we mean by providing that, let's assume
that we're satisfied as long as the attacker's success probability of finding
some pre-image that hashes to our value H is less than one-half.
Of course, for most applications we want this probability to be much less than one-half.
To answer, give the number of bits in the output of H.
