and follow the links even deeper if you like. Numerous people have spent a great deal of time in prison for violating these copyright/patent/import and export laws.
All of your numbers of possible combinations and permutations for the AES-256 bit encryption assume a brute force attack. This paper published 22 years ago was "authorized" (ie allowd to be published from worked researched years earlier) and presents mathematical attacks on block ( and stream ) cyphers which significantly reduce the complexity in both time and space of a brute force attack. I am sure that world class mathematicians employeed by numerous .govs around the world have even more tricks up their sleeves. US laws regarding encryption do not protect you from those people who have the brains and resources to attack these cyphers with better methods than brute force only from those who don't have the requisite resources.
This paper is from Canada. I assume the pdf is free of adobe "back doors". (LOL)
Linear differential cryptanalysis
The first casualty of war is truth! Loose lips sink ships! Believe half of what you see and none of what you hear! etc.
That paper you linked to is for "Symmetric Key Encryption" . . . again, an encryption used for communication, where there are two keys held at either end of the communication. Apple's system is a single key encryption used to encrypt stored data, which is NOT used for communication. . . nor is intended for another party to decrypt it. A single key is much harder to decrypt because there is just a single way to decrypt it. There are not any need for multiple factors to retrieve keys from multiple holders of the access. When there is only ONE key, the only way to decrypt the data is to use that ONE key. . . or to try and find some way to derive that key from the nature of the data. Both are extremely difficult.
A system such as the paper described was used to hack the 128 bit AES encryption used by iMessage and FaceTime. . . but it required the complicity of an Apple iPhone user to send many thousands of almost identical copies of a photo with very subtle variations known to the hackers who were using a man-in-the-middle fake Apple Server. They were able to analyze the slight changes from photo to photo and from those differences derive the symmetric communication encryption key.
The laws against export of RSA and other encryption algorithms became moot years ago when it turned out that many of the students CREATING them were foreign students who just simply went home. It became unenforceable. Some of the strongest algorithms come from off shore. So much for that argument.
One of the disadvantages for anyone trying to decrypt these data on Apple devices is that the data on the Flash drive that might give some idea of what one is looking at is randomized as to location. It makes it very difficult to identify what and where files are. . .
All of these approaches are very expensive in time and money. The data you want to retrieve has to exceed the value of that time and money to make it worth while.
All of these are working on the assumption that there is a unified encryption key for multiple devices. On Apple, there is not. Every device has its own unique encryption key derived from the Users passcode, a Unique Device ID, a Device Group ID, and a truly Entropic random number created when the user first entered his user passcode. . . all entangled together to create the encryption key. Each device has to be decrypted individually. Now, the cost of breaking the encryption has climbed immensely.
Hey Lurk. Great insights in your post, but I want to point out that linear differential cryptanalysis has been deprecated since most modern ciphers are generated using elliptic curves. This makes linear investigation of cryptography useless.