That paper you linked to is for "Symmetric Key Encryption" . . . again, an encryption used for communication, where there are two keys held at either end of the communication. Apple's system is a single key encryption used to encrypt stored data, which is NOT used for communication. . . nor is intended for another party to decrypt it. A single key is much harder to decrypt because there is just a single way to decrypt it. There are not any need for multiple factors to retrieve keys from multiple holders of the access. When there is only ONE key, the only way to decrypt the data is to use that ONE key. . . or to try and find some way to derive that key from the nature of the data. Both are extremely difficult.
A system such as the paper described was used to hack the 128 bit AES encryption used by iMessage and FaceTime. . . but it required the complicity of an Apple iPhone user to send many thousands of almost identical copies of a photo with very subtle variations known to the hackers who were using a man-in-the-middle fake Apple Server. They were able to analyze the slight changes from photo to photo and from those differences derive the symmetric communication encryption key.
The laws against export of RSA and other encryption algorithms became moot years ago when it turned out that many of the students CREATING them were foreign students who just simply went home. It became unenforceable. Some of the strongest algorithms come from off shore. So much for that argument.
One of the disadvantages for anyone trying to decrypt these data on Apple devices is that the data on the Flash drive that might give some idea of what one is looking at is randomized as to location. It makes it very difficult to identify what and where files are. . .
All of these approaches are very expensive in time and money. The data you want to retrieve has to exceed the value of that time and money to make it worth while.
All of these are working on the assumption that there is a unified encryption key for multiple devices. On Apple, there is not. Every device has its own unique encryption key derived from the Users passcode, a Unique Device ID, a Device Group ID, and a truly Entropic random number created when the user first entered his user passcode. . . all entangled together to create the encryption key. Each device has to be decrypted individually. Now, the cost of breaking the encryption has climbed immensely.
The apple phone I believe is encrypted with a block AES-256 bit hardware S-box. Given the repeating opcodes and and addressing modes and other structures within a computers memory It shouldn't be to difficult if one has physical access to the phone ( or ssh wink wink nod nod say no more say no more ). A simple search will show that current research believes that AES-256 is less secure than AES-128.
Friends make arrangements for one time pads!
When I was in grad school and we had to give a monthly presentation of our work, when we didn't fully know and/or understand what we were talking about we called it our monthly stand-up, turn around and speak out your arse session. The profs just liked a good laugh!
Truth to me is that this event is indistinguishable from propaganda and we may know the truth in 20 to thirty years. Some of use may know sooner than others ;)