Is there any functional or strong security difference beyond speed between
- AES-GCM-SIV with implicit fixed public IV and no additional data
- AES-CTR (or AES-OFB) with 128-bit IV computed per HMAC-SHA-512 on the message, included at start of ciphertext, and checked on decryption
when used with a key of the same length, 128 or 256-bit?
And if 2 was not proper deterministic symmetric authenticated encryption (when the total amount of plaintext encrypted under a given key remains well below the birthday bound), I also want to know!
