About a year ago, the author expressed a desire for XAES-256-GCM/11, and now that specification exists. XAES-256-GCM is an AEAD algorithm with 256-bit keys and 192-bit nonces designed to support a large safe nonce for unlimited messages. It offers FIPS 140 compliance and simple implementation using common libraries. The XAES-256-GCM construction involves three AES-256 key calls per message but remains efficient. Compliance and compatibility make it widely applicable, with support similar to other cryptographic algorithms. The specification also details alternatives and provides extensive test vectors. XAES-256-GCM aims to be a safe, compliant, and interoperable AEAD for high-level APIs, avoiding Go-specific constructions.
https://words.filippo.io/dispatches/xaes-256-gcm/