From this, it is clear that Encrypt-then-Mac provides more complete security than Mac-then-Encrypt but some schemes use Mac-then-encrypt to provide nonce-misuse resistance such as SIV (AES-GCM-SIV, AES-CCM-SIV) or DEOXY II, ESTATE by generating a tag and use it as IV for the encryption part.
Q. How is the use of Mac-then-encrypt provide nonce-misuse security?
