Error-correcting as part of an encryption scheme?

If we do not encrypt a message, we can use a checksum to check data integrity. For authenticated encryption, we no longer need the checksum because we use the authentication tag to verify data integrity.

The above is about error-checking. Now, for error correcting (like Hamming code), is there an encryption scheme that

1. Can check for integrity,
2. Can correct one or two bit flips of the ciphered text, and
3. The encrypted message is a random byte string statistically?

The authenticated encryption scheme has 1,3 but not 2. Of course, we can add a layer of ECC after encryption. But then 3 does not hold as ECC makes the encrypted stream not entirely random.

We know it is better to use authentication tags instead of just adding a sha256 checksum to the message for verification. I wonder if we follow this way of reasoning, can we merge encryption, authentication, and ECC together in a nice way.

Following an idea in comment to the question

• compute and append a MAC (e.g. HMAC-SHA-256 with a 256-bit key)
• add Forward Error Correction
• chose random 16-byte IV, output it followed by AES-256-CFB-1 ciphertext computed with a 256-bit key and result of the previous step.

On receive we extract 16-byte IV, decipher, use FEC to correct errors, check MAC.

CFB-1 is suggested because a 1-bit error propagates to at most the next 128 bits, and re-synchronizes on bit loss.

The FEC needs to be optimized for long burst of error, which is standard in telecom (not DRAM); and bit loss (if it can occur), which is less common in my limited experience, but still achievable I guess.

The MAC computation needs not be a separate step; it can be made during encryption and decryption, in an online algorithm.