There are three important things to note about decipher oracle
DSIV. First is that the keystream is computed as a pseudorandom function of the tag; second is that the adversary has direct control over the tag being input into the oracle; third is that the distinguisher requires distinct ciphertexts paired with an identical tag. What we can do is blind the tag as a pseudorandom function of the ciphertext:
With decipher oracle
DRIV, it is easy to see that the distinguisher no longer applies. The tag is effectively encrypted by a pseudorandom function of the ciphertext, which results in two uncorrelated tags given two distinct ciphertexts.
Similar to the SIV mode, we can add session support to the RIV mode as well:
The mode described here can be viewed as a special case Feistel network: