It's not particularly related. We have efficient quantum algorithms for RSA and discrete logarithms. Both are solved by viewing them as instances of the "hidden subgroup problem" over an abelian group.

Some well-known other problems are also HSP instances over non-abelian groups, for example

1. the learning with errors assumption (the main PQ thing people like) is a HSP instance over the dihedral group, and

2. graph-isomorphism is a HSP instance over the symmetric group.

LWE appears to be quite hard classically (SOTA attacks are 2^{~0.3n} time and exponential memory). Graph isomorphism is a famously easy problem outside of P, namely it is in quasi-polynomial time. So the fact that both are not in BQP doesn't say much about their relative classical difficulty.

This is precisely the uncertainty that the commenter above was referring to when they mentioned complexity classes like BQP. We don't necessarily know the precise relationship between quantum complexity classes and their classical counterparts.

The international standardization effort that led to ML-KEM and ML-DSA focused both on classical attacks (regular computers) and quantum attacks.

There were 5 levels being considered for each submission.

Level 1 - at least as difficult to attack as AES-128 (block cipher)

Level 2 - at least as difficult to attack as SHA-256 (hash function)

Level 3 - at least as difficult to attack as AES-192 (block cipher)

Level 4 - at least as difficult to attack as SHA-384 (hash function)

Level 5 - at least as difficult to attack as AES-256 (block cipher)

The security of attacking an N-bit block cipher is morally congruent to a birthday collision against a {2N}-bit hash function. With some caveats: https://soatok.blog/2024/07/01/blowing-out-the-candles-on-th...

ML-DSA-44 (smallest parameter set) targets Level 2 for signatures.

ML-KEM-768 targets Level 3 for KEMs.