[some_furry]

What benefit do you hope to gain from an arbitrarily long nonce?

The design I sketched out extended the 96-bit GCM nonce to 224 bits, which is longer than the 192 bits of XSalsa and XChaCha. That's also the maximum that's supported by the algorithms as used.

If we supported arbitrarily longer inputs to AES-CBC-MAC, it's going to get mixed down into an AES block (128 bits long) anyway, so the benefit of arbitrary-length extensions over a 128-bit extension is unclear to me.

[amadvance]

That would make AES-XGCM an immediate replacement of AES-GCM that already supports an arbitrary long nonce.

[some_furry]

The "arbitrary long nonce" gets hashed down (using GHASH) to 96 bits.

I mean, sure, if you really want to, you can already do that with the GCM part. I would hesitate to do that to the AES-CBC-MAC part.

Your proposal would then be to dedicate the first 16 bytes (128 bits) to the extension, and the rest to GCM.