Proof of Learning

Proof of Learning (PoL) is verifiable education infrastructure built for the world the Canvas breach exposed. In April–May 2026, the ShinyHunters group breached Instructure (Canvas), the dominant LMS in North America — roughly 3.65 TB of student data across ~9,000 institutions, ~275 million people. The root cause wasn't a misconfiguration; it was the architecture every major LMS shares: plaintext student records centralized in shared multi-tenant infrastructure, where one boundary failure cascades across every customer at once. And when Instructure paid the ransom, the only "proof" of deletion was the attackers' word — a shred log, no cryptographic certainty. PoL refuses that model. It pushes the security guarantee down from the application layer (Layer 7 — logins, sessions, access control) into the cryptographic primitives and storage layers (Layers 0/3 — the math and the encrypted store). The result is a bounded blast radius: compromise the application layer, the exact Canvas failure mode, and you get no decryption capability — you're stopped at the threshold math, not handed a plaintext database. Four properties define the architecture. Threshold encryption: student records are encrypted and the decryption capability is split across the school, an independent steward, and — for under-13 records — a parent-trustee, so no single party (including the operator) can decrypt unilaterally; decryption requires M-of-N cooperation. Selective disclosure: parents, colleges, and employers verify a specific attribute (a GPA threshold, enrollment, credential validity) via cryptographic proof, without the underlying record ever being exposed. Dual-anchored audit logs: every access is recorded to a tamper-evident log anchored to two independent destinations (OpenTimestamps→Bitcoin and Guardtime KSI). Verified cryptographic erasure (crypto-shred): a deletion request destroys the key shares, rendering the ciphertext unrecoverable noise — provable destruction, the certainty Instructure couldn't offer.

Travel, exposure and then my dad died.

I was writing a follow up on the paper I published last year, studying Estonia's KSI Blockchain and Hong Kong's Real DID KYC trial and applying it to the Canadian mining industry as a response to the Nov 2025 SCC decision in Lundin Mining Corp v Markowich when I got the call my father was dying.

I flew home to Canada, to witness New Brunswick's palliative care irl and quickly realized that my framework could also be applied to health care (and thus other industries). (It helps that my dad also worked in policy, and his mind was with us until the end, discussing both our work until the very end. His final book "The History of Work" will be published by the end of this year.)

I submitted Verifiable Frameworks (with the Verifiable Mineral Assets and Verifiable Care as pilots) to the University and worked on developing my Scoring Matrix and Implementation Blueprints.

That's when ShinyHunters hit Instructure. I always knew my Framework could also be applied to education, and they just provided me with the catalyst. I was able to piece it together thanks to workshops from dev3pack (merci Solene!) only to discover I didn't have to build a complete LMS to launch - I actually have devised essentially a security layer that can be applied to any current LMS as a preliminary security product, mitigating the $10k minimum migration cost for concerned institutions. I submitted to this hackathon, and here we are today!

Leveraged [Agent Tool, e.g., Cursor/Aider] to accelerate the cryptographic state-machine generation and unit testing framework.