AES-OGCM-1 and AES-OGCM-2 can encrypt at most [2.sup.96] plaintexts in the nonce-respecting scenario, the maximum length of the plaintext is about [2.sup.3]2 blocks (64 GBytes), and the privacy and authenticity achieve roughly 107.9565-bit or 121.9339-bit security which is better than those of AES-GCM (about 64-bit security).
Tackmann, "The multi-user security of authenticated encryption: AES-GCM in TLS 1.3," in Advances in cryptology--CRYPTO 2016, vol.
Table 1: Comparisons among AES-GCM , AES-OGCM-1, and AES-OGCM-2.
Advantage over AES-GCM. The proposed scheme has several advantages over AES-GCM which is currently the official standard for authenticated encryption .
In terms of performance, the speed of AES-GCM was compared against the proposed cipher on a computer with an Intel i7-4700MQ processor and 8 Gb of RAM.