I don't understand how ECDSA and the R-values comes here into play.
In the same way, as quantum-resistant signatures can be hidden behind P2TR.
https://gnusha.org/pi/bitcoindev/ZVcdKupXU+wjawRI@erisian.com.au/Sign-to-contract looks like:
* generate a secret random nonce r0
* calculate the public version R0 = r0*G
* calculate a derived nonce r = r0 + SHA256(R0, data), where "data"
is what you want to commit to
* generate your signature using public nonce R=r*G as usual
In general, if you have ECDSA signature, then you have some public key Q, and signature (R,s), which can connect public key R with public key Q. If ECDSA is broken, then still: "data" behind a given commitment will still be possible to verify. Knowing private key won't invalidate old signatures: if some hash was confirmed on-chain, and hidden behind R-value of some signature, then it will be still possible to verify later.
I think "block size" need to be increased to accommodate larger signatures.
Old nodes won't understand it anyway. Which means, that only quantum resistant nodes will see it. And for that reason, ECDSA verification can be just extended: first, ECDSA signature will be checked normally, and after that, quantum data can be hashed, and checked, if it matches R-value of a given signature. And then, new limit don't have to be based on block size, but on commitment size instead, and based on existing sigops limit.