Looking at the SQIsign I algorithm, which has "palatable" signature sizes but an astronomically high verification cost, I got the following shower thought: Could it be possible to introduce a post-quantum option based on optional verification?

Basically how today OP_RETURN tokens like Counterparty or Runes work: miners and full nodes would not need to verify the transactions. Instead it would be the users when they transfer and/or accept these coins; they would verify that there's a coherent chain of signatures until a point where an "old style Bitcoin" was burnt and exchanged to a "post-quantum Bitcoin" (a bit similar to how Counterparty was distributed originally).

Once hardware speeds have accelerated to the point that verification is no longer a problem, the verification could be turned mandatory again (i.e. a proof of verification added to the blocks), at the same time those "tokens" would then be recognized as "real Bitcoins".