I am planning to implement key agreement in an application, and Curve25519 offers the right properties for 128-bit security (AES-128). In a question I previously asked (Can Curve25519 shared secret be safely truncated to half its size?), I was pointed that hashing of the shared secret is recommended (Why must curve25519 shared secret be hashed?), which provides a way of getting the right amount of bits for the symmetric crypto.
However, Curve25519 is not strong enough for AES-192 or AES-256 (or else Curve25519 would be clearly the weakest link and AES-192 / AES-256 would be kind of pointless, although After ECDH with Curve25519, is it pointless to use anything stronger than AES-128? seems to argue otherwise), so Curve448 is a logical next step if more security is needed.
Should I also hash the Curve448 output in the same way Curve25519 output should be hashed? Or is the Curve448 output safe as-is?
