I can see how you might lose collision resistance with a normal 256-bit hash function, but it's not clear why a "stretched" hash with 2048 bytes of output wouldn't work.
E: Ah, there it is, in the paper:
> However, Wagner [Wag02] later showed an attack on the generalized birthday problem which could be used to find collisions
> for AdHash on an n-bit modulus in time O(2^(2√n)), and that the AdHash modulus needs to be greater
> than 1600 bits long to provide 80-bit security. Lyubashevsky [Lyu05] and Shallue [Sha08] showed
> how to solve the Random Modular Subset Sum problem (essentially equivalent to finding collisions
> in AdHash) in time O(2^(n^ε)) for any ε < 1, which indicates that AdHash requires several more orders
> of magnitude larger of a modulus just to provide 80-bit security.
E: Ah, there it is, in the paper:
> However, Wagner [Wag02] later showed an attack on the generalized birthday problem which could be used to find collisions > for AdHash on an n-bit modulus in time O(2^(2√n)), and that the AdHash modulus needs to be greater > than 1600 bits long to provide 80-bit security. Lyubashevsky [Lyu05] and Shallue [Sha08] showed > how to solve the Random Modular Subset Sum problem (essentially equivalent to finding collisions > in AdHash) in time O(2^(n^ε)) for any ε < 1, which indicates that AdHash requires several more orders > of magnitude larger of a modulus just to provide 80-bit security.