*Post-quantum cryptography* aims to prepare the world for a scenario in which the attacker is in posession of a quantum computer. In this scenario ECC-based and RSA-based cryptography are broken by variants of Shor's algorithm in about the same time that it takes to execute them. While quantum computers are not currently realized, the goal is to be prepared in case of this eventuality. If the attacker has access to encrypted communication now and the storage facilities to keep this data until eventually quantum computers are built, then he can decipher this communication as soon as his quantum computer is big enough. This is a problem for long-term confidential data, if the encryption uses any public-key component and gets transmitted over an insecure channel.
Research is on the way to establish cryptosystems that remain secure if the attacker has a quantum computer and has identified lattice-based encryption, code-based encryption, multivariate signatures, and hash-based signatures as promising candidates. So far these systems are far less used because of disadvantages such as key size, or execution time, or the need to modify the usage. It is important to study the security of these schemes under quantum and regular attack and also to improve the schemes and their embedding into cryptographic protocols to get them ready for deployment. This meeting seeks to complement the series of PQCrypto conferences by bringing together researchers from that community with outsiders in related specialties such as coding theory and number theory.