Is there such a project? I could not find it. Why not? Should we create it?

The system basically helps the user's new device recover an encryption key that was created on a prior device. At Apple, secure hardware (HSMs) ask you to verify that you know your iPhone pin, and you get 10 tries. If you guess it right, the HSM gives your new device the decryption key to your iCloud backup. Apple cannot decrypt it without hacking into the HSM.

An open version of this system could be even more secure, and quite simple. Just have the device pick N protection servers and use a Shamir secret sharing scheme to create a strong secret, maybe 256 bits. The secret shares can be uploaded to each of the N servers along with the user ID. The servers then act as threshold (T-of-N from the Shamir scheme used) oblivious pseudo random oracle, enabling the user's device to compute an AES-GCM encryption key. Recovery is similar, with each server only allowing up to say 10 OPRF operations before refusing to do more. This is to prevent an attacker from easily brute-force guessing the pin.

It's more complex than this, but I can offer the full design and am happy to implement it. I could use help:

* An Android app
* An iOS app
* Volunteers to run protection servers (I'll run one on my Raspberry PI).

Is anyone interested in bringing Advanced Data Protection to everyone, in a manner that is hard to secretly turn into mass surveillance?