yeah, i think if i am gonna do an impossible to crack ECDH based encryption scheme it will use a 256 bit GCM style based on the hash of the secret and nonce, so it will have zero repeats within the realms of our current bandwidth requirements, and a 32 bit nonce

all of those short bits, like GCM-AES 32 bit counter and CTR's 64 bit counter

the ideal is GCM, and the strongest hash we know of to date is SHA256

the others that are trendy these days, like Blake2/2b/3 and ChaCha20 etc make compromises to make them more performant, but if performance is no issue, as it isn't for most hardware now, 64 bit AMD architecture or ARM, or even RISCV, they all have now got SIMD capabilities that mean these hash functions are now cheap and all those bit shavings are not essential

sure, support teh old style, for old stuff and low power stuff, i mean really low power stuff, where security is zero if the thing goes dark, but for everyone else...