Signature size of the PQC algorithms dilithium3 and dilithium5 do not match NIST 204 (Draft)

[xipki]

I am testing the dilithium (ML-DSA) signatures using bcprov version 1.77, and find out that the signatures of dilithium3 and dilithium5 have different size than NIST FIPS 204 (Draft), published August 24, 2023 (available under https://doi.org/10.6028/NIST.FIPS.204.ipd), "Table 2. Sizes (in bytes) of keys and signatures of ML-DSA.".

Bouncycastle (dilithium3) : 3309 bytes vs FIPS 204 (ML-DSA-65): 3293 bytes Bouncycastle (dilithium5) : 4627 bytes vs FIPS 204 (ML-DSA-87): 4595 bytes.

Below is the code to reproduce the result:

    public void testNist204() throws Exception {
        DilithiumParameterSpec[] keySpecs = {DilithiumParameterSpec.dilithium2,
            DilithiumParameterSpec.dilithium3, DilithiumParameterSpec.dilithium5};

        for (DilithiumParameterSpec keySpec : keySpecs) {
            KeyPairGenerator kpg = KeyPairGenerator.getInstance("Dilithium", "BC");
            kpg.initialize(keySpec, new SecureRandom());
            KeyPair kp = kpg.generateKeyPair();
            byte[] encodedPubKey1 = kp.getPublic().getEncoded();

            System.out.println("\n=====" + keySpec.getName() + "=====\npublic key size: " +
                SubjectPublicKeyInfo.getInstance(encodedPubKey1).getPublicKeyData().getOctets().length);

            Signature sig = Signature.getInstance("Dilithium", "BC");
            sig.initSign(kp.getPrivate(), new SecureRandom());
            sig.update(new byte[256], 0, 256);
            byte[] sigValue = sig.sign();
            System.out.println("signature size: " + sigValue.length);
        }
    }

[roy-basmacier]

Hey @xipki, The values in Bouncy Castle are correct. NIST's comment about FIPS 204 for Table 2:

Note on the intermediate values for ML-DSA: We recognize that Table 2 of the draft FIPS 204 gives incorrect values for the sizes of the signature and private key.