Comment by SAI_Peregrinus

OCB3 also allows associated data (AD). Rogaway's faq[1] describes the history of the versions. OCB1 didn't have AD, OCB2 tried to fix that but was less efficient. OCB3 is the final version of OCB, and is a proper AEAD cipher. After OCB3 was created OCB2 was broken, but OCB1 and OCB3 remain secure. OCB3 is provably secure, and at least 2x as fast as GCM without hardware acceleration. In theory it'd be faster with hardware acceleration, but that's only likely in an FPGA or ASIC implementation since GCM is fast enough and accelerated in modern CPUs. Intel & AMD aren't going to spend the die area on OCB.

I like OCB, it's an elegant construction, but I'm more likely to use and recommend GCM because GCM is good enough and allows much easier interop since it's more widely used. Since AEGIS is nicer as a high-performance cipher system, and Ascon is better for constrained systems OCB doesn't really have a niche where it's the best choice.

[1] https://www.cs.ucdavis.edu/~rogaway/ocb/ocb-faq.htm