In Cryptanalysis of Block Ciphers with Overdefined Systems of Equations Nicolas Courtois and Josef Pieprzyk state (in Appendix A) that the Rijndael SBox can be written as a "linearized polynomial" $S(x): GF(2^8) \rightarrow GF(2^8)$:
$S(x) = 63+8F\cdot x^{127}+B5\cdot x^{191}+01\cdot x^{123}+F4\cdot x^{239}+25 \cdot x^{247}+F9 \cdot x^{251}+09 \cdot x^{253} + 05 \cdot x^{254}$
I want to understand how this can be derived from the SBox calculation usually described as:
$Sbox(x) = M \cdot x^{-1} + \vec{t}$
I understand that $x^{-1}$ can be written as $x^{254}$, but what are the necessary steps to get to the linearized form?
