To change from a standard (ID) sigma protocol to a signature scheme you apply Fiat-Shamir, which replaces an honest verifier choosing a random challenge, with a hash value.
How else could you get a provably honest random challenge? A blockchain!
If Alice commits to R in block N, she could use the blockhash of block N+100 and then publish a signature. No random oracle assumption required!
Wait ...
The security of bitcoin relies on the preimage resistance of the hash function anyway, lol.

Sign in to participate in the conversation
unidentified instance

(instance image by мøтħer ¢røω)