I wrote:
... But there's a paper by Koblitz and Menezes ("Another look at provable security, II") that (so it claims; I haven't checked the details) actually works through the analysis with numbers rather than O(...) everywhere, and it turns out that for numbers of this sort of size you end up with no useful security guarantee at all! (That is, the implicit constants in the various O()s screw you over.) Before you get anything useful you need moduli about 5000 bits in length (extracting a single bit from each squaring), at which case the attacker needs to do something like 2^84 operations to break the cipher.
It's maybe worth stressing that that's how conservative you need to be when using BBS if you want to avail yourself of the *proofs* of security it comes with. If you're content to say "No one knows a way to break BBS that's better than factoring the modulus, and no one knows a feasible way to factor 2048-bit numbers in reasonable time" then you can stick with your 2048-bit modulus and pulling out 32 bits from each squaring, and I guess you'll probably be OK in practice. But I'm not an expert on this stuff, and the paragraph above may be too optimistic. -- g