But even if computation is the same, unencyrpting and then authenticating is at least a factor of two more work. That's far from clear to me. If both the plaintext and the checksum are encrypted, you can probably use a much weaker algorithm than a cryptographic hash function, I'd think. Or am I missing some attacks?