Are there competing two-pass authenticated-encryption proposals?
Absolutely. The traditional approach for achieving authenticated-encryption was to use generic composition. Using separate keys, you should encrypt the plaintext and then MAC the resulting ciphertext. You can use any encryption scheme and any MAC that you like, and the composite scheme is guaranteed to do what it should do. To offer the same basic “service” as OCB you’ll need, in the end, to do something like this. For privacy, use CBC mode with ciphertext-stealing and an IV derived by enciphering the nonce. For authenticity, use the CBC MAC variant known as CMAC. Use standard key separation to make all the needed keys. Make sure the MAC is taken over the IV of the encryption scheme. There are various pitfalls people run into when trying to do a homebrewed combination of privacy and authenticity. Common errors include: (1) a failure to properly perform key separation; (2) a failure to use a MAC that is secure across different message lengths; (3) omitting the IV from what is MACed; (4)
