let f(x) = t(s(x)^2), where s,t:L->L are linear, [L:K]=n, char(K)>2
then g(x,y) = f(x+y)-f(x-y) = 4 t(s(x) s(y)) is bilinear.
if we fix x, then g(x,y) = 4 s(x) t(s(y)),
  and we can compute (t o s):L->L up to scaling by a constant
do this for x_1,..,x_n, and we learn s(x_i)
then from knowledge of s and t o s we can learn t

alternatively, let
  (D_y f)(x) = f(x+y)-f(x)
        = t([s(x)+s(y)]^2 - s(x)^2) = t(s(y)^2 - 2s(x)s(y));
then this is affine in x if we fix y, and the above ideas work.

higher-order diff. crypt.:
  if V is a vector space with basis v1,..,vn,
  define D_V f = D_v1 D_v2 ... D_vn f.
  fact: if f has degree d and dim V = d, then D_V f is a constant
  follows from the fact that deg (D_v f) <= deg f - 1.

if f(x) = t(s(x)^3) over L with char(L)=2,
then note that from v=u^3 we can get u*v = u^4, noting u^4 is linear in u,
hence there is a polynomial p(x,y) so that p(x,f(x)) = 0 for all x
and so that p is of degree 1 in x and in y separately (total degree 2),
hence you can use Gaussian elimination to find p,
and then given y you can find x s.t. p(x,y) = 0 by linear algebra.

generalization: the "affine multiple" attack
  note that we had a multiple A(u,v) = uv - u^4 of f(u)-v = u^3 - v
  so that A is affine in u if we fix v.  in general, such an A(u,v)
  is known as an "affine multiple" of f(u)-v.
fact: given any polynomial f(x), there exists an "affine multiple" 
 A(x,y) so that A(x,y) is a multiple of f(x) - y and moreover
 A(x,y) is linear in x when you fix y.
   note: A can be computed by looking at
     1, x, x^q, .., x^{q^{n-1}} mod f(x), where q = |K|,
   and then finding a linear relation (over K) among these n+1 polynomials
   (such a relation must exist, since we have n+1 polynomials over L,
    and L is an extension of K of degree n)
of course, finding the "affine multiple" might be hard
  in general, we can use Gaussian elimination if the degree of A in y is low
  (if deg_y A(x,y) <= k when x is fixed, then the multivariate
   polynomial A(x,y) is a sum of at most n^{k+1} monomials, hence with
   Gaussian elimination we can solve for the n^{k+1} unknown coefficients
   with O(n^{3k+3}) work)
once you find an affine multiple, you can use it to break the scheme

----

how to solve over-determined systems of equations of low degree

the quadratic case:

linearization
- given m^2/2 quadratic equations in m unknowns x_1,..,x_m,
  can solve by introducing m^2/2 new variables y_{ij} = x_i * x_j
  and then using Gaussian elimination
- given em^2 quadratic equations in m unknowns, the solution
  space is a linear subspace of dimension (1/2 - e)m^2, and
  each solution can be expressed as a linear function of (1/2 - e)m^2
  variables z_k

relinearization
- note that y_ij y_kl = y_ik y_jl = y_il y_jk = x_i*x_j*x_k*x_l,
  which gives two linearly independent equations for every 4-tuple of indices
- there are m^4/4! 4-tuples, so we get m^4/12 equations in m^2/2 unknowns y_ij
- using above idea, we can express this as m^4/12 equations in
  (1/2 - e)m^2 unknowns z_k
- now we can solve this new system in any way.
  - e.g., by linearization: we get m^4/12 equations in (1/2 - e)^2 m^4/2
    unknowns a_kl
  - solvable if m^4/12 >= (1/2 - e)^2 m^4/2,
    i.e., if (1/2 - e)^2 >= 1/6, i.e., if 1/2 - e >= 1/sqrt(6),
    i.e., if e <= 1/2 - sqrt(6) ~= 0.1
  - or, by re-linearization again (just keep going recursively)
- similarly, we can consider 2k-tuples and look at new equations
  

generalizations:
- higher-degree cases: same ideas apply
- low-weight case: if we have p_i(x_1,..,x_m) = 0 for i=1,..,l,
  and each p_i is of low weight, then linearization needs fewer equations
  let S_i = set of monomials in p_i, let S = union_i S_i; if
  l = number of equations >= |S|, then linearization works