pull down to refresh

Ah ok, I think I get it now.
I was confused because if a MAC is included in the ciphertext or not, the padding still needs to be checked first.
But the point is that in this model of authenticated encryption, it's a weakness if you first have to decrypt before authenticating. Knowing the ciphertext is authentic before decryption is clearly superior.
Thanks!