It wouldn't work. You in theory ditch secp256k and start over with Crystals or similar (hello 2.5kb signatures). But on Nostr it makes no sense to hard fork and just change the key type, since there are other unresolved technical problems, you'd want to kill as many birds with one stone as you can. It'd basically be an entirely new protocol. This one written off. The problem is that it has to be done. I mean it would be quite a feat of engineering if within 3 years there was a quantum computer that can crack secp256k via shor's, in the 2k-6k logical qbit range. But the thing is it's entirely possible, given how AI is supercharging error correction and new advances in qbit types and noise reduction. So if being serious about security you have to assume it will happen in 5 years, and you definitely have to assume it will happen in 10. Signal started their fix a couple years ago and are basically done, so things like White Noise can be reworked to remove nostr (as we know it now) as the transport layer. But for nostr itself there is zero scope for migration, it's the end of the line.