Understanding forking lemma and oracle replay attack

Question

Many signature schemes use forking lemma to prove security, like scheme in here.In short, that goes through a reduction technique which called oracle-replay attack to solve the difficult algorithmic problem, requiring two rounds of simulation for $\mathcal{F}$ to obtain two valid signature pairs $(m,r,e,s)$ and $(m,r,e',s')$,where $r$ is a "commitment", $e = H(m||r)$,$s$ and $s'$ is related to $m$, $r$ and $e$. But how to ensure the forger $\mathcal{F}$ will output the same message $m$ and $r$ ,since they may select randomly in each simulation?

see also [PS00] David Pointcheval and Jacques Stern. Security arguments for digital signatures and blind signatures. Journal of Cryptology, 2000.

Answer 1

We use the fact that forger $\mathcal{F}$ is nothing else but a Turing machine with some random tape. And since $\mathcal{F}$ is in our possession, we can choose the tape. Therefore, we can rerun $\mathcal{F}$ with the same tape, and behavior of $\mathcal{F}$ will be just the same (until the point where the oracle will return different value and desired "forking" occurs).

Answer 2

The forger $F$ is a probabilistic Turing machine, i.e., a deterministic Turing machine with a random tape, but reusing the same random tape only cannot generate the same $(m,r)$.

In the simulation, the "outside" adversary $A$ (against some hard problem) runs $F$ in a black-box way and controls its random tape which contains fair random bits. For each $F$ execution, $A$ samples the random tape $r_F$ for $F$ and the random coins $r_H$ for answering random oracle $H$ queries. Note that for each sampled random tape, $A$ runs $F$ twice. In the second run, $A$ rewinds $F$ to the point where $H(m,r)$ was queried and then answers it with an independent random value $e'$. Because $A$ uses the same random tape $r_F$ and the same front portion (prior to answering $H(m,r)$) of $r_H$, $F$'s behaviour until querying $H(m,r)$ is fully determined and therefore will generate the same $(m,r)$.