To change from a standard (ID) sigma protocol to a signature scheme you apply Fiat-Shamir, which replaces an honest verifier choosing a random challenge, with a hash value.
How else could you get a provably honest random challenge? A blockchain!
If Alice commits to R in block N, she could use the blockhash of block N+100 and then publish a signature. No random oracle assumption required!
The security of bitcoin relies on the preimage resistance of the hash function anyway, lol.
(instance image by мøтħer ¢røω)