In particular: virtually all of block cipher crypto and message authentication relies on straightforward math. (It would be different if our challenges covered poly MACs, but we don't have good examples of common flaws in poly MAC implementations).
I agree that the published sets of challenges don't really need much theory.
Later: I just read Ferguson, with the linear algebra.
Now, via a simple polynomial evaluation property, you have f(x) + g(x) = (f + g)(x). We know f and g --- those are the two ciphertexts being authenticated here, interpreted as polynomials --- and we know that the polynomial f + g - S_0 - S_1 must be 0 at H. From there it's a matter of finding the roots of this polynomial, one of which is H, and this is the mathematically complicated part of the attack. Though you can treat root-finding as a black-box, the keywords here are Berlekamp or Cantor-Zassenhaus.
(Hopefully I didn't get this too wrong, I'm handwaving here)