Lattice-based polynomial commitment schemes are promising for their post-quantum security, competitive proof sizes, and fast prover speed. They are also natively compatible with proving lattice-based relations, such as those arising from verifiable FHE or signature aggregation, and very efficient for committing to sparse, one-hot polynomials, which arise in the most efficient protocols for memory checking (Twist & Shout). However, existing schemes suffer from either large proof sizes, slow verifier time, or reliance on non-standard lattice assumptions.

 We introduce Akita, a lattice-based PCS with concretely small proof sizes, fast prover & verifier time, and relying on the standard Module-SIS assumption. Building on Hachi, a recent lattice-based PCS, we introduce novel techniques that: (i) reduce verifier time from square-root to fourth-root, (ii) optimize the range check and the evaluation consistency check, and (iii) apply rejection sampling on the folded witness to achieve tighter security budgeting. These techniques yield 106KB proof size, 5.9s commit time, 2.5s prover time, and 20ms verifier time on a M4 Max, when committing to a 2^26-sized polynomial over a 128-bit field.

 Akita is being integrated into Jolt, a RISC-V zero-knowledge virtual machine, expecting a 3x prover time speedup over the current elliptic curve based version (which is quantum broken), while increasing proof size by less than 50%.

 This is ongoing joint work with Omid Bodaghi, Giuseppe Vitto, Amirhossein Khajehpour, Taghi Badakhshan (LayerZero Labs), Fengrun Liu (CMU), Justin Thaler (a16z), and Jiapeng Zhang (USC).