Provenance Chain: Cryptographic Supply Chain Verification for Canadian Defence

Who We Are

We are a team of five University of Waterloo students with hands-on experience in the industries this problem actually affects. Two of us work in Canadian defence (Thales and General Dynamics). Three of us build scalable systems at Shopify. We did not come to this hackathon to learn about supply chains. We came because we have seen the compliance problem from the inside.

The Problem We Refused to Ignore

Canada is deploying $81.8 billion over five years to rebuild its Armed Forces. Every dollar of that spending hinges on "Buy Canadian" procurement rules that currently cannot be verified by anyone.

Right now, a defence supplier prints "Made in Canada" on a label. A Prime Contractor signs a PDF saying they believe it. The government accepts the claim. Nobody can actually check.

This is not just a paperwork problem. Military supply chains are deeply intertwined. Primes subcontract to Tier-2s, who subcontract to Tier-3s, who source from Tier-4 machine shops in rural Ontario. If one node in that chain is compromised, whether through a falsely labelled component, an undocumented foreign material, or a sanctioned-country input, the contamination ripples through every defence asset that touched it. The Canadian government currently has no tool to instantly query which assets are affected.

The compliance cost of getting this wrong is severe. Under Canada's Controlled Goods Program (CGP) and the Defence Production Act, non-compliance carries fines of up to $2 million per day and up to 10 years imprisonment. Worse than the fines is debarment: permanent blacklisting from federal contracts. For a defence company, that is immediate bankruptcy. Canada's Auditor General has documented defence procurement projects running $8.7 billion over original estimates, driven in significant part by manual compliance bottlenecks that delay delivery by years.

The status quo is not just inefficient. It is a national security vulnerability.

What We Built

Provenance Chain is a cryptographic supply chain verification system built specifically for Canadian defence procurement.

Every supplier contribution is recorded as a cryptographically signed attestation: a structured record bound to the supplier's verified identity via Ed25519 digital signatures. Each attestation references the ones it consumed, forming a hash-linked Directed Acyclic Graph (DAG) from raw material to finished product. You cannot alter any record without breaking every downstream signature. The chain is mathematically tamper-evident.

Our backend exposes a POST /verify endpoint that:

Ingests a product's full attestation chain
Walks the DAG and verifies every Ed25519 signature against the supplier registry
Computes Canadian content percentages per the Competition Bureau's legal definitions (51% threshold for Made in Canada, 98% for Product of Canada)
Detects and classifies integrity anomalies across five categories: tampered attestations, replay attacks, quantity inconsistencies, broken chain links, and statistically anomalous cost structures

All of this runs in O(N) time. Whether the drone has 50 parts or 50,000, verification is instant.

We shipped three components:

Verification backend — FastAPI service, fully containerized via Docker Compose, deployable anywhere in minutes with docker compose up
Supplier interface — Web UI for issuing signed attestations without touching cryptography
Purchaser interface — QR-code scannable provenance dashboard readable by any DND procurement officer without technical background

The Algorithm: How We Detect Fraud

Verifying a clean chain is mechanical. The hard work is catching fraud that looks legitimate.

Our anomaly detection runs two layers:

Layer 1 — Hard rule violations. For every attestation in the chain, we check: does the signature verify against the registered public key for the claimed supplier? Does the content hash match the parent reference? Does the quantity consumed exceed what the upstream supplier actually produced? Does the DAG contain cycles or broken links? Any failure here is a definitive integrity violation, classified by type and flagged with the offending attestation ID.

Layer 2 — Statistical anomalies. Some fraudulent chains pass every hard rule but are implausible relative to how real supply chains behave. We trained on the 1,000 labeled chains in the provided corpus to learn the distribution of genuine attestations: typical cost ratios, labour hour ranges per action type, and material quantity patterns by tier. Attestations that are individually rule-compliant but statistically anomalous relative to this distribution are flagged separately, giving auditors a prioritized list of suspicious nodes without generating false positives on legitimate edge cases.

Anomaly detection is scored by F1, so over-flagging hurts as much as missing violations. Both layers are tuned with that tradeoff in mind.

The Security Architecture: Proof Separated from Payload

We treat the aggregated supply chain graph as a critical intelligence asset. An adversary who maps Canada's full defence supply chain knows what Canada is building, who is building it, and what it costs. That information cannot be exposed.

Our architecture separates proof from payload.

Think of it like a bank's safe deposit system. The verification layer stores only cryptographic hashes and digital signatures, mathematical fingerprints that prove an event occurred without revealing what the event was. The actual sensitive data (part names, costs, schematics) stays locked in a Canadian-sovereign, Protected B (PBMM) environment: encrypted at rest and in transit, stored on Canadian soil, and accessible only to security-assessed personnel per CGP cloud guidance.

Access is governed by Need-to-Know:

Role	Access Level
Tier-4 Supplier (Ryan's Machine Shop)	Sees only the attestations they created
Prime Contractor	Sees aggregated Canadian content percentages for their assembly
DND Auditor (with clearance)	Decrypts and traverses the full supply chain graph

If the verification backend is breached, the attacker gets alphanumeric hashes. Mathematical gibberish. The blueprints of Canada's military fleet remain locked.

The Path to Real-World Deployment

Governments do not change procurement systems overnight. We designed our rollout around how Canadian defence policy actually works.

Phase 1 — DND IDEaS Pilot

The Department of National Defence runs the Innovation for Defence Excellence and Security (IDEaS) program specifically to test dual-use technologies against real defence problems. We apply for IDEaS funding to run a cryptographic provenance pilot on a single asset class, a specific reconnaissance drone procurement, to validate the system under real contract conditions.

Phase 2 — PSPC RFP Mandate

Precedent already exists. In March 2025, Canada launched the Canadian Program for Cyber Security Certification (CPCSC), which mandates cybersecurity certification as a condition of defence contract award. The same legislative mechanism applies to provenance. Once the pilot is validated, PSPC modifies RFP requirements: origin claims must be submitted via cryptographic attestation. The 50-page compliance PDF is retired.

Phase 3 — Industry Standard

Prime contractors realize the system eliminates millions in annual compliance audit costs and begin mandating it across their subcontractor networks, not just for Canadian content, but for CGP compliance across every procurement. Walking the floor at CANSEC, every piece of hardware carries a cryptographic QR code proving its sovereign origins. That is the gold standard we built toward.

What We Learned

We came in understanding cryptography and supply chains as separate concepts. We left understanding that the hard problem was never the math. It was the threat model.

A valid signature proves a message was not garbled. It does not prove the claim is true. An adversary with access to a supplier's private key can produce a perfectly signed, completely fraudulent chain. Building a system that catches economically plausible but dishonest attestations required thinking like an adversary, not just an engineer.

Canada is spending $81.8 billion to rebuild its Armed Forces. The weakest link in that investment is not the hardware. It is the paper trail behind it. We built the fix.