This is related to Shamir's Secret Sharing(SSS) scheme. But secret polynomial is integer polynomial, not over finite field.
The scheme is based on the fact that univarite polynomial whose degree is uniquely determined as distinct points . This fact can be explained as Chinese Remainder Theorem(CRT) over univariate polynomial.
If , then
by polynomial remainder theorem. CRT states that we can recover polynomial such that
uniquely defined over
(same as ) and , we have by modulus uniqueness.
Lagrange Interpolation represents explicit formula of recovered polynomial.
Note that the polynomial may not be over the integer ring , but the rational field . This causes an vulnerablility for integer version of SSS.
In the challenge, we have to find secret whose determined as for degree 9 polynomial by given 9 points. At first glance, we cannot recover unique polynomial by 9 points only. However, the condition that recovered polynomial is over is so restrictive.
My solution is straightforward. I recovered polynomial by adding symbolical point ( is variable). Then, I solved the equation for all coefficient of is in , that is, the numerator modulo the denominator is . The solution is .
This leads me the folowing code.
On CTF, I obtained flag and it works repeatedly, I think that recovered polynomial is unique. @grhkm pointed why it is, I could not explain exactly. But we can understand nearly uniqueness by using CRT construction.
Given 9 points , we can recover such that . is uniquely defined . So we have
, and , so , that is, is a constant. And is monic, so . Then, . By substituting , we have
This means that is uniquely defined .
So I did not have to recover symbolic polynomial. I only have to compute .
On this challenge, is for some .
We know , but , so my solution is unique if . Even if , , then my (smallest) solution is correct with the probability . The overall probability is
Of cource, we can compute and check that recovered polynomial is valid (all coefficients except secret is positive and ) for reliablity of solution.