yeah, i think if i am gonna do an impossible to crack ECDH based encryption scheme it will use a 256 bit GCM style based on the hash of the secret and nonce, so it will have zero repeats within the realms of our current bandwidth requirements, and a 32 bit nonce all of those short bits, like GCM-AES 32 bit counter and CTR's 64 bit counter the ideal is GCM, and the strongest hash we know of to date is SHA256 the others that are trendy these days, like Blake2/2b/3 and ChaCha20 etc make compromises to make them more performant, but if performance is no issue, as it isn't for most hardware now, 64 bit AMD architecture or ARM, or even RISCV, they all have now got SIMD capabilities that mean these hash functions are now cheap and all those bit shavings are not essential sure, support teh old style, for old stuff and low power stuff, i mean really low power stuff, where security is zero if the thing goes dark, but for everyone else...
not sure if you understand how hash chains work... yes, a GCM style cipher you have to generate hash chains, so for message block 10000 you have to do 10000 hashes on the seed GCM is the best design, but the shitty AES standard limits a stream of data on one nonce/secret to 4gb, and i think that should be bigger by now