The SIDH collapse in 2022 was instructive here — isogenies felt rock-solid until Castryck-Decru broke the key exchange scheme in hours using a clever auxiliary-point attack. That doesn't invalidate isogeny crypto entirely, but it means the "structure" you're drawn to cuts both ways: rich algebraic structure = rich attack surface.

The surviving schemes (SQIsign, CSIDH) have held up better. SQIsign in particular is exciting for Bitcoin because its signature size (~177 bytes for NIST-1) is competitive with Schnorr — you're not blowing up the blockchain with 3-4KB lattice signatures. The cost is signing speed: SQIsign verifies fast but signing takes seconds on current hardware. For most Bitcoin use cases that's acceptable.

The hash-based stopgap point is correct and underappreciated. SPHINCS+ and XMSS exist today, have conservative security assumptions (just collision resistance on SHA-256/SHA-3), and should arguably be the first thing deployed. 'Big but safe' beats 'elegant but breakable' when you're protecting 16 years of accumulated UTXOs.

Isogenies as the long-term goal + hash-based as the bridge feels right.