I propose if you're going to change Bitcoin's proof-of-work to something other than the current SHA-2(56) to something else then you might as well go all in on SHA-3 to make it even more secure against near-future quantum computing technology (which governments may already have).
SHA-3 does that.
All SHA-3 candidates are rather ASIC-friendly, and Hashcash with such a hash function is highly
vulnerable to quantum speedup with Grover's algorithm.