This paper presents a fully homomorphic encryption (FHE) scheme using ideal lattices. The scheme allows evaluation of arbitrary circuits on encrypted data without the need for decryption. The construction is based on three key steps: a general "bootstrapping" result, an initial construction using ideal lattices, and a technique to "squash the decryption circuit" to enable bootstrapping. The paper introduces a public key encryption scheme using ideal lattices that is almost bootstrappable. Lattice-based cryptosystems typically have decryption algorithms with low circuit complexity, often dominated by an inner product computation that is in NC1. Ideal lattices provide both additive and multiplicative homomorphisms, which are needed to evaluate general circuits. The initial scheme is not quite bootstrappable, as the depth of the decryption circuit is logarithmic in the lattice dimension, but the latter is greater than the former. The paper then describes a technique to reduce the depth of the decryption circuit, thereby obtaining a bootstrappable encryption scheme without reducing the depth that the scheme can evaluate. The paper also discusses the security of the scheme, showing that it is semantically secure under certain assumptions. It defines a set of permitted circuits and shows that the scheme is correct for these circuits. The paper also discusses the computational complexity of the scheme, showing that it is polynomial in the security parameter and the size of the circuit. The paper concludes by describing a concrete construction of the scheme using ideal lattices and polynomial rings. The construction involves defining a ring R, an ideal I, and a basis B_I for I. The scheme uses these to define the public and secret keys, as well as the encryption and decryption algorithms. The paper also discusses the security of the scheme, showing that it is semantically secure under certain assumptions.This paper presents a fully homomorphic encryption (FHE) scheme using ideal lattices. The scheme allows evaluation of arbitrary circuits on encrypted data without the need for decryption. The construction is based on three key steps: a general "bootstrapping" result, an initial construction using ideal lattices, and a technique to "squash the decryption circuit" to enable bootstrapping. The paper introduces a public key encryption scheme using ideal lattices that is almost bootstrappable. Lattice-based cryptosystems typically have decryption algorithms with low circuit complexity, often dominated by an inner product computation that is in NC1. Ideal lattices provide both additive and multiplicative homomorphisms, which are needed to evaluate general circuits. The initial scheme is not quite bootstrappable, as the depth of the decryption circuit is logarithmic in the lattice dimension, but the latter is greater than the former. The paper then describes a technique to reduce the depth of the decryption circuit, thereby obtaining a bootstrappable encryption scheme without reducing the depth that the scheme can evaluate. The paper also discusses the security of the scheme, showing that it is semantically secure under certain assumptions. It defines a set of permitted circuits and shows that the scheme is correct for these circuits. The paper also discusses the computational complexity of the scheme, showing that it is polynomial in the security parameter and the size of the circuit. The paper concludes by describing a concrete construction of the scheme using ideal lattices and polynomial rings. The construction involves defining a ring R, an ideal I, and a basis B_I for I. The scheme uses these to define the public and secret keys, as well as the encryption and decryption algorithms. The paper also discusses the security of the scheme, showing that it is semantically secure under certain assumptions.