By using a quantum-secure encryption scheme (e.g. supersingular elliptic curve Diffie-Hellman?)
One problem with the quantum-secure public key stuff is that it all has fairly high overhead. From Wikipedia:
In 2014, researchers at the University of Waterloo developed a software implementation of SIDH. They ran their partially optimized code on an x86-64 processor running at 2.4 GHz. For a 768-bit modulus they were able to complete the key exchange computations in 200 milliseconds thus demonstrating that the SIDH is computationally practical.[12]
That’s 200 milliseconds, multiplied by whatever k is, and in any case it’s a non-standardized component that would greatly expand consensus code complexity.
Another issue with using this at consensus layer is that I don’t think it technically adds that much, particularly if large CAS committees are present. An attacker with \alpha < 0.5 stake can reduce the main chain’s growth rate to 1 - \alpha, and the attacker’s chain will grow at exponentially slow speed, so the attacker will not win. Because of this, the attacker cannot manipulate to increase their revenue. Furthermore, in the long run the beacon chain will also be responsible for including cross-links and other consensus-related transactions, and the leader will in any case have a monopoly on those.
For lottery-related use cases, you don’t want 50% resistance, you want 99.9999% resistance, because the RNG is a second-layer construct (caveat: unless we really want to include a consensus-layer RNG) and so it’s much more likely that an attacker could buy up more than a 50% share in it, so I think some VRF construction is optimal.