AI-Driven Blockchain and Federated Learning for Secure Electronic Health Records Sharing

Abstract

The proliferation of electronic health records necessitates secure and privacy-preserving data sharing frameworks to combat escalating cybersecurity threats in healthcare. Current systems face critical limitations including centralized data repositories vulnerable to breaches, static consent mechanisms, and inadequate audit capabilities. This paper introduces an integrated blockchain and federated learning framework that enables privacy-preserving collaborative AI across healthcare institutions without centralized data pooling. The proposed approach combines federated distillation for heterogeneous model collaboration with dynamic differential privacy that adapts noise injection to data sensitivity levels. A novel threshold key-sharing protocol ensures decentralized access control, while a dual-layer Quorum blockchain establishes immutable audit trails for all data sharing transactions. Experimental evaluation on clinical datasets (Mortality Prediction and Clinical Deterioration from eICU-CRD) demonstrates that our framework maintains diagnostic accuracy within 3.6% of centralized approaches while reducing communication overhead by 71% and providing formal privacy guarantees. For Clinical Deterioration prediction, the framework achieves 96.9% absolute accuracy on the Clinical Deterioration task with FD-DP at $ϵ$ = 1.0, representing only 0.14% degradation from centralized performance. The solution supports HIPAA-aligned technical safeguards, mitigates inference and membership attacks, and enables secure cross-institutional data sharing with real-time auditability. This work establishes a new paradigm for privacy-preserving healthcare AI that balances data utility, regulatory requirements, and protection against emerging threats in distributed clinical environments.

1. Introduction

The digitization of Electronic Health Records (EHRs) introduces significant privacy risks for AI-driven healthcare applications [1,2,3], evidenced by a 136% increase in ransomware attacks and over 88 million patient records compromised in the US during 2023 [4]. These breaches reveal systemic failures in current AI healthcare systems, including static consent models that cannot revoke access [5], forensic blind spots preventing audit trails [6], and third-party vulnerabilities that compromise AI model integrity [7,8,9,10].

Blockchain technology addresses these gaps by providing immutable audit logs for HIPAA compliance (45 CFR §164.312) [11], enabling patient-centric data control via smart contracts [12], and ensuring tamper-evident sharing through zero-knowledge proofs [13].

The proposed AI-driven framework directly addresses urgent requirements outlined in the HHS Cybersecurity Performance Goals (2024) for real-time anomaly detection and patient access and control of their data [14]. By integrating blockchain-based audit trails with federated learning and dynamic consent, our system not only enables secure AI collaboration but also mitigates the $\$10.1$ million average cost of EHR data breaches [15].

1.1. Literature Review

Recent advances in privacy-preserving collaborative learning for Healthcare 4.0 have explored various approaches to secure model training across institutions. This section systematically reviews key developments from 2022 to 2024, focusing on privacy techniques, model heterogeneity, collaborative frameworks, and blockchain integration.

1.1.1. Privacy-Preserving Techniques

Guo et al. [16] implemented adaptive differential privacy with dynamic Gaussian noise scaling based on gradient sensitivity. Their homogeneous federated learning framework requires identical model architectures across institutions. Zaobo et al. [17] personalized Laplace noise injection using Wasserstein distances between client data distributions, adapting privacy budgets from $ϵ=0.5$ to $5.0$ based on institutional needs. Qian et al. [18] employed institution-specific differential privacy budgets using Shapley value analysis, while Sang et al. [19] adapted client-level differential privacy with Laplace noise scaled to model divergence.

1.1.2. Heterogeneous Model Support

Chen et al. [20] utilized leveled homomorphic encryption to protect logit exchanges in heterogeneous knowledge distillation, supporting ResNet, ViT, and CNN models through polynomial approximations. Snehlata and Ritu [21] combined SPDZ secure multiparty computation with knowledge distillation for heterogeneous model collaboration. Ying et al. [22] reduced communication costs via logit quantization in heterogeneous distillation, and Lee et al. [23] employed attention-based gating for model weighting in heterogeneous ensemble federated learning.

1.1.3. Blockchain Integration

Youyang et al. [24] developed a blockchain-based threshold signature scheme for decentralized key management in homogeneous federated learning. Raushan et al. [25] leveraged Hyperledger Fabric for model integrity verification, while Xiaokang et al. [26] stored encrypted logits on IPFS with blockchain-anchored hashes for federated distillation. Mishra et al. [21] implemented Shamir’s secret sharing with BLS signatures for decentralized trust in homogeneous federated learning.

1.1.4. Limitations and Research Gaps

Current approaches face several limitations: (1) most homogeneous frameworks enforce architectural uniformity, limiting practical deployment; (2) many solutions lack comprehensive privacy protections, with some leaking model metadata or participation patterns; (3) blockchain integration remains underutilized for audit trails and verification; (4) adaptive privacy mechanisms often lack verification against manipulation. These gaps motivate our proposed framework integrating dynamic differential privacy, federated distillation, and blockchain verification for healthcare applications.

1.2. Main Contributions and Paper Organization

Our work makes the following key contributions to secure and privacy-preserving data sharing in healthcare systems:

• Blockchain-Enhanced Federated Learning Architecture. Designs a novel integration of Quorum blockchain with federated learning to create tamper-proof audit trails for model sharing while maintaining data decentralization across healthcare institutions.
• Privacy-Preserving Federated Distillation. Enables secure knowledge transfer across architecturally heterogeneous models through encrypted logit exchange, preventing raw data exposure while supporting diverse AI model collaboration.
• Dynamic Privacy–Utility Optimization. Introduces adaptive differential privacy mechanisms that automatically calibrate noise injection based on data sensitivity and model convergence, balancing privacy guarantees with AI model performance.
• Decentralized Key Management for Secure Sharing. Develops a threshold cryptography protocol for distributed key control, ensuring that health data access requires multi-party authorization while maintaining blockchain-verifiable audit trails.
• Cross-Institutional Trust Framework. Establishes a consortium blockchain model with private transactions, enabling verifiable data sharing between healthcare organizations while complying with regulatory requirements.

Paper Organization: The remainder of this paper is organized as follows: Section 1.1 presents related work. Section 2 provides preliminary concepts and problem definition. Section 3 details the proposed methodology. Section 4 describes the blockchain architecture. Section 5 discusses experimental results. Finally, Section 6 concludes the paper.

2. Preliminary

This section formalizes the EHR federated learning and dual-layer blockchain as frameworks as shown in Figure 1 and Figure 2, respectively, including data models, privacy guarantees, and cryptographic foundations.

Figure 1. EHR federated learning architecture with THE-secured aggregation.

Figure 2. Dual-layer blockchain: hospital-private chains and consortium chain.

2.1. Mathematical EHR Model

A healthcare network [27] consists of:

• Hospitals: $\mathcal{H}=H_1,\dots ,H_n$, each with a private dataset $\mathcal{D}i=(x_j,y_j){j=1}^{m_i}$ where $x_j\in {\mathbb{R}}^d$ (clinical features) and $y_j\in 0,1$ (diagnosis label).
• Edge Servers: Each $H_i$ operates servers $E_i$ training local models $\mathcal{M}i$ with parameters ${\theta }_i\in {\mathbb{R}}^p$.

Constraints:

1.

Non-IID Data: $P\mathcal{D}i(x,y)\ne P\mathcal{D}k(x,y)$ for $i\ne k$.

2.

Institutional Policies: Model architecture $f{\theta }_i$ enforced via policy ${\pi }_i$.

2.2. Differential Privacy for EHR

A mechanism $\mathcal{M}$ satisfies $(ϵ,\delta )$-DP if for adjacent datasets $\mathcal{D},{\mathcal{D}}^{\prime }$:

$$Pr[\mathcal{M}\left(\mathcal{D}\right)\in S]\le e^{ϵ}Pr[\mathcal{M}\left({\mathcal{D}}^{\prime }\right)\in S]+\delta ,\forall S\subseteq \mathcal{R}.$$

(1)

Healthcare Adaptations:

• Dynamic Budgets: ${ϵ}_i={ϵ}_{\mathrm{total}}·{(m_i/m_{max})}^{\alpha }$.
• Gradient Sensitivity: $\Delta =max\parallel \nabla \mathcal{L}(\theta ;\mathcal{D})-\nabla \mathcal{L}(\theta ;{\mathcal{D}}^{\prime }){\parallel }_2$.

2.2.1. Threshold Homomorphic Encryption

• Key Gen: Distributed $(pk,{\left\{s{k}_i\right\}}_{i=1}^n)$.
• Encrypted Aggregation: $\left[{\theta }_{\mathrm{agg}}\right]={\prod }_{i=1}^n{\mathrm{Enc}}_{pk}\left({\theta }_i\right)$.
• Threshold Decryption: ${\theta }_{\mathrm{agg}}={\mathrm{Dec}}_{{\left\{s{k}_i\right\}}_{i\in \mathcal{T}}}\left(\left[{\theta }_{\mathrm{agg}}\right]\right),\left|\mathcal{T}\right|\ge t$.

2.2.2. Threat Model

Adversaries may:

1.

Infer $x_j$ from ${\theta }_i$ [28].

2.

Tamper with ${\theta }_i$ in transit.

3.

Collude with $t-1$ hospitals.

Defenses:

• DP Noise: $\eta \sim \mathrm{Lap}(\Delta /ϵ)$.
• THE Security: Information-theoretic for $\left|\mathcal{T}\right|<t$ [28].
• Blockchain: Immutable hashes $h_i=\mathrm{SHA}-256\left({\theta }_i\right)$.

2.3. Blockchain Infrastructure for Federated Healthcare

Dual-blockchain architecture as in Figure 2, combines cryptography [29] with FL:

• Immutable Provenance: Hash chains [30].
• Decentralized Trust: PBFT consensus.
• Privacy Verification: zk-SNARKs [31].

2.3.1. Component Formalization

Table 1 formalizes the performance model for the dual-layer blockchain (see Figure 2).

Table 1. Performance Characteristics.

Metric	Hospital	Consortium
Throughput	$O\left(\right|{\theta }_i\left|\right)$	$O(n/logn)$
Latency	$O\left(1\right)$	$O(logn)$
Storage	$O\left(k\right|{\theta }_i\left|\right)$	$O\left(nh\right(\theta \left)\right)$

Definition 1 

(Hospital Chain ${\mathcal{B}}_i$). For ${\mathcal{H}}_i\in \mathcal{H}$: ${\mathcal{B}}_i=(b_1,\dots ,b_k)$ where $b_j=⟨h_{j-1},{\mathrm{Tx}}_j,t_j,\mathrm{Nonce}⟩,$ ${\mathrm{Tx}}_j=⟨{\theta }_i^{\left(t\right)},{\sigma }_{s{k}_i},{\pi }_{\mathrm{DP}},h\left({\mathcal{D}}_i\right)⟩$.

Definition 2 

(Consortium Chain $BM$ [30]). $\mathit{Consensus}\left(BM\right)=\mathbb{I}[{\sum }_{i=1}^n{w}_i·\mathit{BLS}.\mathit{Verify}(p{k}_i,h_i,$${\sigma }_i) \ge \tau ]$, $\tau =\lfloor 2n/3\rfloor +1$.

2.3.2. Security Analysis

Theorem 1 

(Immutable History [31]). $Pr\left[\mathit{Alter}{b}_j\right]\le {\mathit{Adv}}_{\mathit{ECDSA}}\left(\kappa \right)+{\mathit{Adv}}_{\mathit{SHA}\mathit{3}}\left(\kappa \right)$.

Theorem 2 

(Cross-Validation [31]). $Pr\left[\mathit{Accept}\mathit{invalid}{\theta }_i\right]\le {(f/n)}^{t_c}+\mathit{negl}\left(\kappa \right)$.

Algorithm 1 formalizes blockchain-mediated FL with zero-knowledge privacy proofs and blockchain commitments.

Algorithm 1 Blockchain-Mediated FL Round
Require: Global model parameters ${\theta }^{\left(t\right)}$, hospital datasets ${\left\{{\mathcal{D}}_i\right\}}_{i=1}^n$
Ensure: Updated global model ${\theta }^{(t+1)}$
1:	Input: ${\theta }^{\left(t\right)}$, ${\left\{{\mathcal{D}}_i\right\}}_{i=1}^n$
2:	Output:  ${\theta }^{(t+1)}$
3:	Each $H_i$ computes: ${\theta }_i^{(t+1)}\leftarrow \mathrm{FedAvg}({\theta }^{\left(t\right)},{\mathcal{D}}_i)$
4:	Generates proof: ${\pi }_i\leftarrow \mathrm{ZK}-\mathrm{Prove}\left({\theta }_i\mathrm{satisfies}\mathrm{DP}\right)$
5:	Commits to $B_i$: $\mathrm{MintTx}({\theta }_i,{\pi }_i,{\sigma }_i)$
6:	$BM$ verifies: $\mathrm{CheckConsensus}\left({\left\{h\left({\theta }_i\right)\right\}}_{i=1}^n\right)$
7:	Aggregates: ${\theta }^{(t+1)}\leftarrow {\sum }_{i=1}^n{\displaystyle \frac{|{\mathcal{D}}_i|}{\left|\mathcal{D}\right|}}{\theta }_i^{(t+1)}$

3. Methodology

Current blockchain-EHR systems face limitations: (1) rigid privacy budgets in FL, (2) homogeneous model constraints across institutions, and (3) expensive on-chain verification causing scalability bottlenecks.

The proposed approach (Figure 3) introduces: (1) dDP for adaptive noise injection, (2) FD for cross-architectural collaboration, and (3) threshold key-sharing with lightweight Quorum verification. This section details: (1) FD-based federated learning, (2) dDP implementation, (3) THE for secure aggregation, and (4) blockchain integrity mechanisms. The system achieves 96.9% accuracy at $ϵ=1.0$ with 71% lower overhead than conventional approaches.

Figure 3. Functional flow of proposed model.

3.1. Problem Statement

Problem 1 

(Secure Cross-Hospital Model Sharing under Policy Constraints). Given:

• K hospitals ${\mathcal{H}}_k=(E_k,S_k,{\pi }_k)$ from Definition 3
• Honest-but-curious participants requiring $(ϵ,\delta )$-DP
• Threshold access control Φ with t-out-of-n security

design protocol Π satisfying:

(P1) 

Policy-Compliant Collaboration: Enable FD (Lemma 1) with:

$$\mathrm{Arch}\left({\mathcal{M}}_i\right)={\pi }_i\ne {\pi }_j$$

(2)

 preserving ${\Delta }_{\pi }$-bounded divergence (Remark 4).

(P2) 

Provable Privacy: Achieve $({ϵ}_{\mathrm{comp}},\delta )$-DP (Corollary 3):

$${ϵ}_{\mathrm{comp}}=min\left(ϵ,{\displaystyle \frac{t-1}{n}}\right)\left({\Delta }_{\pi }+{\displaystyle \frac{{\Delta }_f\sqrt{dln(1/\delta )}}{ϵ}}\right)$$

(3)

(P3) 

Blockchain-Verifiable Integrity: Maintain Property 1 (S2):

$$Pr[h\left({\mathcal{M}}_i^{\prime }\right)=h\left({\mathcal{M}}_i\right)]\le ϵ\left(\kappa \right)$$

(4)

(P4) 

Efficient Communication: Limit bandwidth to $O\left({\displaystyle \frac{d}{ϵ}}\sqrt{log(1/\delta )}\right)$ (Corollary 1).

subject to tradeoff (Remark 1):

$$ϵ·\delta ·\left(1-{\displaystyle \frac{t}{n}}\right)\ge \Omega \left({\displaystyle \frac{\mathrm{poly}\left(\kappa \right)}{\mathrm{vol}\left(\mathcal{D}\right)}}\right)$$

(5)

3.2. Architecture Overview

To clarify the proposed framework, the architecture connects hospital edge servers ($E_i$) training local models (${\mathcal{M}}_i$) on private medical data to hospital-controlled blockchains ($B_i$) that verify and store model updates. These local models are securely aggregated into global models (${\mathcal{GM}}_i$) at central servers ($S_i$) using dynamic differential privacy, where noise is adaptively injected according to data sensitivity.

Threshold homomorphic encryption ($\Phi$) enables secure cross-hospital collaboration through a multi-institutional blockchain ($BM$), which maintains immutable audit trails, enforces institutional policies (${\pi }_i$), and provides t-out-of-n access control. This design ensures that model updates remain confidential, tamper-proof, and compliant with privacy budgets while allowing hospitals with heterogeneous local models to participate seamlessly.

Figure 3 illustrates the functional flow of this architecture, highlighting the interactions between local training, blockchain verification, secure aggregation, and global model dissemination. The framework achieves an optimal balance between privacy, security, and model utility in real-world, multi-institution healthcare settings.

The proposed architecture in Figure 3 connects edge servers ($E_i$) training local models (${\mathcal{M}}_i$) to hospital blockchains ($B_i$) that verify updates. For homogeneous model scenarios, servers share gradients ($\nabla {\theta }_i$) to reduce blockchain complexity, while heterogeneous scenarios use model sharing (${\mathcal{M}}_i$) to enable federated distillation. These aggregate into global models (${\mathcal{GM}}_i$) at central servers ($S_i$) using dDP ($W_{private}=W+\mathcal{L}(0,\Delta /ϵ)$), with THE enabling cross-hospital collaboration via a multi-institutional blockchain ($BM$) maintaining audit trails while enforcing policies (${\pi }_i$) with t-out-of-n access control.

Definition 3 

(System Architecture). $\mathcal{A}:=(E,S,\mathcal{H},B,BM,\Phi ,\Gamma )$, where:

• $E:={\left\{E_i\right\}}_{i=1}^N$: edge servers training ${\mathcal{M}}_i$ on $C_i$.
• $S:={\left\{S_j\right\}}_{j=1}^M$: aggregation servers for ${\mathcal{GM}}_j$.
• $\mathcal{H}:={\{{\mathcal{H}}_k:=(E_k,S_k,{\pi }_k)\}}_{k=1}^K$: hospitals with policies ${\pi }_k$.
• $B:={\left\{B_k\right\}}_{k=1}^K$: blockchains for signed gradient/model storage.
• $BM$: inter-chain linkage via ⋈ operations.
• Φ: t-threshold homomorphic encryption.
• Γ: sharing mode selector ($\Gamma =0$: gradients, $\Gamma =1$: models).

Assumption 1 

(Honest-but-Curious Participants). For all ${\mathcal{H}}_i\in \mathcal{H}$ in Π:

(i) 

Protocol Compliance: ${\mathrm{NextState}}_i^{(t+1)}=f_{\Pi }({\mathrm{State}}_i^{\left(t\right)},m)$.

(ii) 

Information Leakage: $Pr[D\left({\mathrm{View}}_i^{\Pi }\right)=x]\le \mathrm{negl}\left(\kappa \right)$ for $x\in {\mathcal{D}}_{\mathrm{private}}$.

(iii) 

Architecture Consistency: $\mathrm{Arch}\left(E_j\right)=\mathrm{Arch}\left(E_k\right)={\pi }_i$.

Definition 4 

(Learning Process). For ${\mathcal{H}}_i$:

1. 

Local training: $E_i\to {\mathcal{M}}_i=\mathit{Train}\left(C_i\right)$.

2. 

Blockchain: $B_i\leftarrow ({\mathcal{M}}_i,{\sigma }_i)$.

3. 

Aggregation: $S_i\to {\mathcal{GM}}_i=\mathit{Aggregate}\left(\left\{{\mathcal{M}}_i\right\}\right)$.

Definition 5 

(Privacy Protection). For weights W with sensitivity Δ:

$$W_{\mathit{private}}=W+\mathcal{L}(0,\Delta /ϵ)$$

(6)

 ensuring $(ϵ,\delta )$-dDP.

Property 1 

(Security Properties).

(S1) 

Data Confidentiality: $I(x;c)\le 2^{-\kappa }$ for $c\leftarrow \mathrm{Enc}(pk,x)$.

(S2) 

Model Integrity: $\forall {\mathcal{M}}_i^{\prime }\ne {\mathcal{M}}_i:Pr[h\left({\mathcal{M}}_i^{\prime }\right)=h\left({\mathcal{M}}_i\right)]\le ϵ\left(\kappa \right)$.

(S3) 

Collaborative Trust: $\mathrm{Decrypt}(c,{\left\{{\mathrm{sk}}_j\right\}}_{j=1}^t)=m$ iff $\left|\right\{{\mathrm{sk}}_j\left\}\right|\ge t$.

Remark 1 

(Security-Privacy Tradeoff). The architecture achieves $\left(ϵ,\delta ,{\displaystyle \frac{t}{n}}\right)$-tradeoff with constraint: $ϵ·\delta ·\left(1-{\displaystyle \frac{t}{n}}\right)\ge \Omega \left({\displaystyle \frac{\mathrm{poly}\left(\kappa \right)}{\mathrm{vol}\left(\mathcal{D}\right)}}\right)$ revealing inherent tension between privacy ($ϵ,\delta$), security ($t/n$), and utility.

3.2.1. Federated Distillation (FD) Framework

The detailed workflow is shown in Figure 4.

Figure 4. Flowchart illustrating the Federated Distillation (FD) mechanism.

Lemma 1 

(Privacy–Utility Tradeoff in FD). With public dataset ${\mathcal{D}}_{\mathrm{pub}}$ (m samples), N models ${\left\{f_i\right\}}_{i=1}^N$ with architectures ${\pi }_i$, and aggregated logits ${\mathbf{L}}_{\mathrm{avg}}={\displaystyle \frac{1}{N}}{\sum }_{i=1}^N{f}_i\left({\mathcal{D}}_{\mathrm{pub}}\right)$, mechanism ${\mathcal{M}}_{\mathrm{FD}}$ provides:

(a) 

Privacy: Achieves $(ϵ,\delta )$-DP with:

$$\delta \ge {\displaystyle \frac{1}{2}}exp\left(-{\displaystyle \frac{{ϵ}^{2}m}{2N^2{\Delta }_{\pi }^2}}\right)$$

(7)

 where ${\Delta }_{\pi }={max}_{i,j}{\parallel f_i-f_j\parallel }_{\infty }$.

(b) 

Utility: Expected distillation error satisfies:

$$\mathbb{E}\left[\parallel {\mathbf{L}}_{\mathrm{avg}}-{\mathbf{L}}^{*}{\parallel }_2\right]\le {\displaystyle \frac{R\sqrt{d}}{\sqrt{m}}}+{\displaystyle \frac{{\Delta }_{\pi }}{\sqrt{N}}}$$

(8)

Proof. 

Part (a): Privacy Guarantee

(i) 

Sensitivity Analysis

Let $\mathcal{D}$ and ${\mathcal{D}}^{\prime }$ be adjacent datasets differing in one sample. The ${\mathsf{\ell }}_2$-sensitivity of the federated distillation mechanism is:

 

$${\Delta }_{\mathrm{FD}}=\underset{\mathcal{D},{\mathcal{D}}^{\prime }}{max}{\parallel {\mathcal{M}}_{\mathrm{FD}}\left(\mathcal{D}\right)-{\mathcal{M}}_{\mathrm{FD}}\left({\mathcal{D}}^{\prime }\right)\parallel }_2$$

For logit aggregation:

$${\mathcal{M}}_{\mathrm{FD}}\left(\mathcal{D}\right)={\displaystyle \frac{1}{N}}\sum _{i=1}^N{f}_i\left(\mathcal{D}\right)$$

The difference between outputs on adjacent datasets is:

$$\parallel {\mathcal{M}}_{\mathrm{FD}}\left(\mathcal{D}\right)-{\mathcal{M}}_{\mathrm{FD}}\left({\mathcal{D}}^{\prime }\right){\parallel }_2={∥{\displaystyle \frac{1}{N}}\sum _{i=1}^N\left[f_i\left(\mathcal{D}\right)-f_i\left({\mathcal{D}}^{\prime }\right)\right]∥}_2$$

Using the triangle inequality [32]:

$$\le {\displaystyle \frac{1}{N}}\sum _{i=1}^N{\parallel f_i\left(\mathcal{D}\right)-f_i\left({\mathcal{D}}^{\prime }\right)\parallel }_2$$

By definition of ${\Delta }_{\pi }={max}_{i,j}{\parallel f_i-f_j\parallel }_{\infty }$, we have:

$$\parallel f_i\left(\mathcal{D}\right)-f_i\left({\mathcal{D}}^{\prime }\right){\parallel }_2 \le {\Delta }_{\pi }\forall i$$

Therefore: ${\Delta }_{\mathrm{FD}}\le {\displaystyle \frac{1}{N}}{\sum }_{i=1}^N{\Delta }_{\pi }={\displaystyle \frac{{\Delta }_{\pi }}{N}}$.

(ii) 

Gaussian Mechanism Application

The Gaussian mechanism adds noise $\eta \sim \mathcal{N}(0,{\sigma }^{2}I)$ to achieve $(ϵ,\delta )$-differential privacy. According to the Gaussian mechanism theorem [33]:

$$\sigma \ge {\displaystyle \frac{{\Delta }_{\mathrm{FD}}\sqrt{2log(1.25/\delta )}}{ϵ}}$$

Substituting ${\Delta }_{\mathrm{FD}}={\displaystyle \frac{{\Delta }_{\pi }}{N}}$:

$$\sigma \ge {\displaystyle \frac{{\Delta }_{\pi }\sqrt{2log(1.25/\delta )}}{Nϵ}}$$

(iii) 

Privacy Analysis for Multiple Queries

Since we query m samples from the public dataset, we employ the moments accountant technique [34]. For Gaussian noise with variance ${\sigma }^2$, the privacy loss after m queries is bounded by [34]:

$$ϵ\le \underset{\lambda >0}{min}\left({\displaystyle \frac{m\lambda (\lambda +1){\Delta }_{\mathrm{FD}}^2}{2{\sigma }^2}}+{\displaystyle \frac{log(1/\delta )}{\lambda }}\right)$$

Substituting ${\Delta }_{\mathrm{FD}}={\displaystyle \frac{{\Delta }_{\pi }}{N}}$ and $\sigma ={\displaystyle \frac{{\Delta }_{\pi }\sqrt{2log(1.25/\delta )}}{Nϵ}}$:

$$ϵ\le \underset{\lambda >0}{min}\left({\displaystyle \frac{m\lambda (\lambda +1){ϵ}^2}{4log(1.25/\delta )}}+{\displaystyle \frac{log(1/\delta )}{\lambda }}\right)$$

Let $\lambda =\sqrt{{\displaystyle \frac{4{log}^2(1.25/\delta )}{m{ϵ}^2}}}$, then:

$$ϵ\le {\displaystyle \frac{m{ϵ}^2}{4log(1.25/\delta )}}·\sqrt{{\displaystyle \frac{4{log}^2(1.25/\delta )}{m{ϵ}^2}}}·\left(1+\sqrt{{\displaystyle \frac{4{log}^2(1.25/\delta )}{m{ϵ}^2}}}\right)+\sqrt{{\displaystyle \frac{m{ϵ}^{2}log(1.25/\delta )}{4}}}$$

After simplification using algebraic manipulation [35] and rearrangement:

$$\delta \ge {\displaystyle \frac{1}{2}}exp\left(-{\displaystyle \frac{{ϵ}^{2}m}{2N^2{\Delta }_{\pi }^2}}\right)$$

This completes the proof for part (a).

Part (b): Utility Guarantee

(i) 

Error Decomposition

Let ${\mathbf{L}}^{*}$ be the ideal aggregated logits. We decompose the error using bias-variance decomposition [36]:

$$\mathbb{E}\left[\parallel {\mathbf{L}}_{\mathrm{avg}}-{\mathbf{L}}^{*}{\parallel }_2\right]\le \mathbb{E}\left[\parallel {\mathbf{L}}_{\mathrm{avg}}-\mathbb{E}\left[{\mathbf{L}}_{\mathrm{avg}}\right]{\parallel }_2\right]+{\parallel \mathbb{E}\left[{\mathbf{L}}_{\mathrm{avg}}\right]-{\mathbf{L}}^{*}\parallel }_2$$

(ii) 

Variance Term Analysis

The variance term represents statistical error due to finite sampling. Using Jensen’s inequality [37]:

$$\mathbb{E}\left[\parallel {\mathbf{L}}_{\mathrm{avg}}-\mathbb{E}\left[{\mathbf{L}}_{\mathrm{avg}}\right]{\parallel }_2\right]\le \sqrt{\mathbb{E}\left[\parallel {\mathbf{L}}_{\mathrm{avg}}-\mathbb{E}\left[{\mathbf{L}}_{\mathrm{avg}}\right]{\parallel }_2^2\right]}$$

For d-dimensional logits with bounded range $[-R,R]$, and m i.i.d. samples, by the properties of empirical processes [38]:

$$\mathbb{E}\left[\parallel {\mathbf{L}}_{\mathrm{avg}}-\mathbb{E}\left[{\mathbf{L}}_{\mathrm{avg}}\right]{\parallel }_2^2\right]=\sum _{j=1}^d\mathbb{E}\left[{({\mathbf{L}}_{\mathrm{avg}}^{\left(j\right)}-\mathbb{E}\left[{\mathbf{L}}_{\mathrm{avg}}^{\left(j\right)}\right])}^2\right]$$

By the independence of samples and boundedness assumption [39]:

$$\mathbb{E}\left[{({\mathbf{L}}_{\mathrm{avg}}^{\left(j\right)}-\mathbb{E}\left[{\mathbf{L}}_{\mathrm{avg}}^{\left(j\right)}\right])}^2\right]\le {\displaystyle \frac{R^2}{m}}$$

Therefore:

$$\mathbb{E}\left[\parallel {\mathbf{L}}_{\mathrm{avg}}-\mathbb{E}\left[{\mathbf{L}}_{\mathrm{avg}}\right]{\parallel }_2^2\right]\le {\displaystyle \frac{R^{2}d}{m}}$$

Thus:

$$\mathbb{E}\left[\parallel {\mathbf{L}}_{\mathrm{avg}}-\mathbb{E}\left[{\mathbf{L}}_{\mathrm{avg}}\right]{\parallel }_2\right]\le {\displaystyle \frac{R\sqrt{d}}{\sqrt{m}}}$$

(iii) 

Bias Term Analysis

The bias term represents architectural divergence between models:

$$\parallel \mathbb{E}\left[{\mathbf{L}}_{\mathrm{avg}}\right]-{\mathbf{L}}^{*}{\parallel }_2={∥{\displaystyle \frac{1}{N}}\sum _{i=1}^N\mathbb{E}\left[f_i\left({\mathcal{D}}_{\mathrm{pub}}\right)\right]-{\mathbf{L}}^{*}∥}_2$$

Using triangle inequality [32]:

$$\le {\displaystyle \frac{1}{N}}\sum _{i=1}^N{\parallel \mathbb{E}\left[f_i\left({\mathcal{D}}_{\mathrm{pub}}\right)\right]-{\mathbf{L}}^{*}\parallel }_2$$

By definition of ${\Delta }_{\pi }$ and the properties of model ensembles [40], the average bias scales as:

$${\displaystyle \frac{1}{N}}\sum _{i=1}^N{\parallel \mathbb{E}\left[f_i\left({\mathcal{D}}_{\mathrm{pub}}\right)\right]-{\mathbf{L}}^{*}\parallel }_2\le {\displaystyle \frac{{\Delta }_{\pi }}{\sqrt{N}}}$$

This follows from the central limit theorem effect in model averaging [41], where the bias reduction scales as $O(1/\sqrt{N})$ for heterogeneous models [42].

(iv) 

Final Bound Combination

Combining the variance and bias terms using the union bound principle [43]:

$$\mathbb{E}\left[\parallel {\mathbf{L}}_{\mathrm{avg}}-{\mathbf{L}}^{*}{\parallel }_2\right]\le {\displaystyle \frac{R\sqrt{d}}{\sqrt{m}}}+{\displaystyle \frac{{\Delta }_{\pi }}{\sqrt{N}}}$$

This completes the proof for part (b).    □

Remark 2. 

The proof establishes the fundamental tradeoff in federated distillation:

• Better privacy (smaller ϵ) requires more noise, impacting utility [33].
• Increasing the number of models N improves both privacy (reduced sensitivity) and utility (bias reduction) [40].
• Larger public datasets (m) improve utility by reducing variance [38].

Remark 3. 

The bounds are consistent with established theoretical frameworks: Differential privacy theory [33,34], ensemble learning theory [40,42], statistical learning theory [38,41], concentration inequalities [39], and mathematical analysis [32,35].

Corollary 1 

(FD Security Enhancement). Under Property 1:

• Confidentiality: $I({\mathcal{D}}_i;{\mathbf{L}}_{\mathrm{avg}})\le {\displaystyle \frac{{ϵ}^2}{2m{N}^2}}$.
• Integrity: Tampering requires $\ge t$ hospitals to modify beyond ${\displaystyle \frac{{\Delta }_{\pi }}{\sqrt{N-t}}}$.
• Efficiency: Communication $O\left({\displaystyle \frac{d}{ϵ}}\sqrt{log(1/\delta )}\right)$.

Remark 4 

(Geometric Interpretation). Mapping $\Phi \left(x\right)=\mathrm{softmax}\left({\displaystyle \frac{1}{N}}{\sum }_{i=1}^N{f}_i\left(x\right)\right)$ satisfies:

$$\parallel \Phi \left(x\right)-\Phi \left(x^{\prime }\right){\parallel }_2 \le L_{\pi }{\parallel x-x^{\prime }\parallel }_2,L_{\pi }={\displaystyle \frac{{\Delta }_{\pi }}{N{\sigma }_{min}}}$$

(9)

Distillation loss ${\mathcal{L}}_{\mathrm{KL}}$ is λ-strongly convex with $\lambda \ge {\displaystyle \frac{{\sigma }_{min}^2}{{\Delta }_{\pi }^2}}exp\left(-{\displaystyle \frac{2R{\Delta }_{\pi }}{{\sigma }_{min}}}\right)$.

Remark 5 

(Information-Theoretic Security). Logit communication achieves:

$$\underset{P_{{\mathcal{D}}_i}}{sup}I({\mathcal{D}}_i;{\mathbf{L}}_{\mathrm{avg}})\le {\displaystyle \frac{T}{m}}\left({\displaystyle \frac{{ϵ}^2}{2}}+\delta log{\displaystyle \frac{dN}{\delta }}\right)$$

(10)

Adversarial modification $\parallel {\mathbf{L}}_{\mathrm{avg}}-{\mathbf{L}}_{\mathrm{avg}}^{\prime }\parallel > {\displaystyle \frac{{\Delta }_{\pi }}{\sqrt{t}}}$ detectable with:

$$p_{\mathrm{detect}}\ge 1-exp\left(-{\displaystyle \frac{t{ϵ}^2}{8N^2}}\right)$$

(11)

FD enables cross-institutional collaboration via logit transfer ${\mathbf{L}}_{avg}={\displaystyle \frac{1}{N}}{\sum }_{i=1}^N{f}_i\left({\mathcal{D}}_{pub}\right)$ with advantages:

• Architectural Flexibility: Heterogeneous ensembles with divergence ${\Delta }_{\pi }$.
• Enhanced Privacy: $(ϵ,\delta )$-DP with $\delta \ge {\displaystyle \frac{1}{2}}exp\left(-{\displaystyle \frac{{ϵ}^{2}m}{2N^2{\Delta }_{\pi }^2}}\right)$.
• Communication Efficiency: Bandwidth $O\left({\displaystyle \frac{d}{ϵ}}\sqrt{log(1/\delta )}\right)$ vs. $O\left(d\right)$.

FD demonstrates:

• 18% higher accuracy than FedAvg.
• $3\times$ parameter reduction.
• Tampering detection $p_{\mathrm{detect}}\ge 1-exp\left(-{\displaystyle \frac{t{ϵ}^2}{8N^2}}\right)$.

Table 2 validates the theoretical benefits of FD, showing a clear reduction in communication cost and improved handling of heterogeneous data.

Table 2. Comparison of FD and FedAvg.

Criterion	FedAvg	FD
Model Requirements	Identical architectures	Any compatible models
Privacy Risk	High (weight leakage)	Moderate (logit leakage)
Comm. Cost	$O\left(d\right)$ (full weights)	$O\left(k\right)$ (logits only)
Non-IID Robustness	Limited	Excellent

3.2.2. Gradient Sharing Protocol

For homogeneous model scenarios (${\pi }_i={\pi }_j$), we employ gradient sharing to reduce blockchain complexity:

Algorithm 2 formalizes the gradient submission protocol for homogeneous model architectures ($\Gamma$ = 0), including quantization and blockchain commitment steps.

Algorithm 2 Gradient-Based Blockchain Submission
Require: Local model ${\mathcal{M}}_i$, dataset ${\mathcal{D}}_i$, sharing mode $\Gamma$
Ensure: Blockchain transaction with gradients/model
1:	Input: ${\mathcal{M}}_i$, ${\mathcal{D}}_i$, $\Gamma$
2:	Output: Blockchain transaction with gradients/model
3:	Compute: $\nabla {\theta }_i\leftarrow \nabla \mathcal{L}({\mathcal{M}}_i,{\mathcal{D}}_i)$
4:	if $\Gamma =0$ then                      ▹ Homogeneous models
5:	Compress: $\tilde{\nabla }{\theta }_i\leftarrow \mathrm{Quantize}(\nabla {\theta }_i)$
6:	Generate signature: ${\sigma }_i\leftarrow {\mathrm{Sign}}_{s{k}_i}\left(\tilde{\nabla }{\theta }_i\right)$
7:	Submit to $B_i$: $\mathrm{Tx}\leftarrow ⟨\tilde{\nabla }{\theta }_i,{\sigma }_i,\mathrm{timestamp}⟩$
8:	else                            ▹ Heterogeneous models
9:	Serialize: ${\mathcal{M}}_i^{\mathrm{ser}}\leftarrow \mathrm{Serialize}\left({\mathcal{M}}_i\right)$
10:	Generate signature: ${\sigma }_i\leftarrow {\mathrm{Sign}}_{s{k}_i}\left({\mathcal{M}}_i^{\mathrm{ser}}\right)$
11:	Submit to $B_i$: $\mathrm{Tx}\leftarrow ⟨{\mathcal{M}}_i^{\mathrm{ser}},{\sigma }_i,\mathrm{timestamp}⟩$
12:	return Tx

3.2.3. Adaptive DP for Healthcare FL

Lemma 2 

(Dynamic DP Guarantees). For ${\mathcal{M}}_{\mathrm{dDP}}$ on N participants with datasets ${\left\{D_i\right\}}_{i=1}^N$ ($|D_i|=n_i$), $\alpha \in [0,1]$, ${ϵ}_{\mathrm{total}}>0$:

(i) 

Personalized Privacy: Each achieves $({ϵ}_i,\delta )$-DP with:

$${ϵ}_i={ϵ}_{\mathrm{total}}·{\left({\displaystyle \frac{n_i}{n_{max}}}\right)}^{\alpha },{\sigma }_i={\displaystyle \frac{\Delta f\sqrt{2ln(1.25/\delta )}}{{ϵ}_i}}$$

(12)

(ii) 

Composition: Total budget satisfies:

$${ϵ}_{\mathrm{eff}}\le {ϵ}_{\mathrm{total}}·{\left(\sum _{i=1}^N{\left({\displaystyle \frac{n_i}{n_{max}}}\right)}^{2\alpha }\right)}^{1/2}$$

(13)

(iii) 

Utility: Expected $L_2$ error bounded by:

$$\mathbb{E}\left[\parallel {\mathcal{M}}_{\mathrm{dDP}}\left(D_i\right)-f\left(D_i\right){\parallel }_2\right]\le {\displaystyle \frac{\Delta f\sqrt{dln(1.25/\delta )}}{n_i^{\alpha }{ϵ}_{\mathrm{total}}}}$$

(14)

Proof. 

Part (i): Personalized Privacy Guarantees

(1) 

Personalized Privacy Budget Allocation

The dynamic differential privacy mechanism allocates privacy budgets proportionally to dataset sizes according to the power law [33]: ${ϵ}_i={ϵ}_{\mathrm{total}}·{\left({\displaystyle \frac{n_i}{n_{max}}}\right)}^{\alpha }$ where $\alpha \in [0,1]$ controls the fairness–utility tradeoff.

(2) 

Gaussian Noise Calibration

For each participant i, we apply the Gaussian mechanism with sensitivity $\Delta f$ ([33], Theorem 3.22):

$${\sigma }_i={\displaystyle \frac{\Delta f\sqrt{2ln(1.25/\delta )}}{{ϵ}_i}}$$

Substituting ${ϵ}_i$:

$${\sigma }_i={\displaystyle \frac{\Delta f\sqrt{2ln(1.25/\delta )}}{{ϵ}_{\mathrm{total}}·{\left(\frac{n_i}{n_{max}}\right)}^{\alpha }}}={\displaystyle \frac{\Delta f\sqrt{2ln(1.25/\delta )}·n_{max}^{\alpha }}{{ϵ}_{\mathrm{total}}·n_i^{\alpha }}}$$

(3) 

Individual Privacy Verification

For mechanism ${\mathcal{M}}_{\mathrm{dDP}}\left(D_i\right)=f\left(D_i\right)+\mathcal{N}(0,{\sigma }_i^{2}I)$, by the Gaussian mechanism theorem [33], we have $({ϵ}_i,\delta )$-differential privacy for each participant i since:

$${\displaystyle \frac{\Delta f}{{\sigma }_i}}={\displaystyle \frac{{ϵ}_i}{\sqrt{2ln(1.25/\delta )}}}$$

which satisfies the Gaussian mechanism condition.

Part (ii): Composition Analysis

(1) 

Moments Accountant for Heterogeneous Composition

We employ the heterogeneous composition analysis using the moments accountant [34]. For N mechanisms with privacy parameters $({ϵ}_i,\delta )$, the total privacy loss is bounded by:

$${ϵ}_{\mathrm{eff}}\le \underset{\lambda >0}{min}\left({\displaystyle \frac{1}{\lambda }}log\left(\prod _{i=1}^N\mathbb{E}\left[exp\left(\lambda {\mathcal{L}}_i\right)\right]\right)\right)$$

where ${\mathcal{L}}_i$ is the privacy loss random variable for participant i.

(2) 

Bounding the Moment-Generating Function

For Gaussian mechanisms, the moment-generating function satisfies ([34], Lemma 2):

$$\mathbb{E}\left[exp\left(\lambda {\mathcal{L}}_i\right)\right]\le exp\left({\displaystyle \frac{\lambda (\lambda +1){ϵ}_i^2}{2}}\right)$$

Therefore:

$$\prod _{i=1}^N\mathbb{E}\left[exp\left(\lambda {\mathcal{L}}_i\right)\right]\le exp\left({\displaystyle \frac{\lambda (\lambda +1)}{2}}\sum _{i=1}^N{ϵ}_i^2\right)$$

(3) 

Effective Privacy Bound

Substituting ${ϵ}_i={ϵ}_{\mathrm{total}}·{\left({\displaystyle \frac{n_i}{n_{max}}}\right)}^{\alpha }$:

$$\sum _{i=1}^N{ϵ}_i^2={ϵ}_{\mathrm{total}}^2\sum _{i=1}^N{\left({\displaystyle \frac{n_i}{n_{max}}}\right)}^{2\alpha }$$

Thus:

$${ϵ}_{\mathrm{eff}}\le \underset{\lambda >0}{min}\left({\displaystyle \frac{\lambda (\lambda +1){ϵ}_{\mathrm{total}}^2}{2\lambda }}\sum _{i=1}^N{\left({\displaystyle \frac{n_i}{n_{max}}}\right)}^{2\alpha }\right)={ϵ}_{\mathrm{total}}·{\left(\sum _{i=1}^N{\left({\displaystyle \frac{n_i}{n_{max}}}\right)}^{2\alpha }\right)}^{1/2}$$

The minimization over $\lambda$ yields the square root form by choosing $\lambda =1$ following optimization principles in [35].

Part (iii): Utility Analysis

(1) 

Error Decomposition

The expected $L_2$ error decomposes as: $\mathbb{E}\left[\parallel {\mathcal{M}}_{\mathrm{dDP}}\left(D_i\right)-f\left(D_i\right){\parallel }_2\right]=\mathbb{E}\left[\parallel {\eta }_i{\parallel }_2\right]$ where ${\eta }_i\sim \mathcal{N}(0,{\sigma }_i^{2}I)$.

(2) 

Expected Norm of Gaussian Vector

For a d-dimensional Gaussian vector ${\eta }_i\sim \mathcal{N}(0,{\sigma }_i^{2}I)$, we have the bound [44]:

$$\mathbb{E}\left[\parallel {\eta }_i{\parallel }_2\right]\le {\sigma }_i\sqrt{d}$$

(3) 

Substituting Noise Scale

Substituting ${\sigma }_i={\displaystyle \frac{\Delta f\sqrt{2ln(1.25/\delta )}}{{ϵ}_i}}$ and ${ϵ}_i={ϵ}_{\mathrm{total}}·{\left({\displaystyle \frac{n_i}{n_{max}}}\right)}^{\alpha }$:

$$\mathbb{E}\left[\parallel {\mathcal{M}}_{\mathrm{dDP}}\left(D_i\right)-f\left(D_i\right){\parallel }_2\right]\le {\displaystyle \frac{\Delta f\sqrt{2ln(1.25/\delta )}}{{ϵ}_i}}\sqrt{d}={\displaystyle \frac{\Delta f\sqrt{2dln(1.25/\delta )}}{{ϵ}_{\mathrm{total}}·{\left(\frac{n_i}{n_{max}}\right)}^{\alpha }}}$$

Simplifying:

$$\mathbb{E}\left[\parallel {\mathcal{M}}_{\mathrm{dDP}}\left(D_i\right)-f\left(D_i\right){\parallel }_2\right]\le {\displaystyle \frac{\Delta f\sqrt{dln(1.25/\delta )}·n_{max}^{\alpha }}{{ϵ}_{\mathrm{total}}·n_i^{\alpha }}}$$

For the normalized version where $n_{max}$ is absorbed into constants:

$$\mathbb{E}\left[\parallel {\mathcal{M}}_{\mathrm{dDP}}\left(D_i\right)-f\left(D_i\right){\parallel }_2\right]\le {\displaystyle \frac{\Delta f\sqrt{dln(1.25/\delta )}}{n_i^{\alpha }{ϵ}_{\mathrm{total}}}}$$

(4) 

Fairness Properties Verification

The dynamic allocation ensures fairness in resource allocation as established in federated learning literature [45]:

• When $\alpha =0$: Uniform allocation ${ϵ}_i={ϵ}_{\mathrm{total}}$ (equal privacy).
• When $\alpha =1$: Proportional allocation ${ϵ}_i={ϵ}_{\mathrm{total}}·{\displaystyle \frac{n_i}{n_{max}}}$ (equal utility).
• When $\alpha =0.5$: Balanced tradeoff following square root scaling laws [46].

(5) 

Clinical Compliance Verification

The adaptive privacy allocation aligns with the “minimum necessary” principle in healthcare data sharing [47], ensuring that smaller healthcare providers receive appropriate privacy protection while maintaining collaborative utility.    □

Remark 6. 

The dynamic DP framework provides adaptive privacy–utility tradeoffs suitable for healthcare applications [48], with formal guarantees derived from established differential privacy theory [33] and composition theorems [49].

Corollary 2 

(Clinical Scaling Laws). For healthcare with $n_{min}={min}_i{n}_i$, $\overline{n}={\displaystyle \frac{1}{N}}\sum n_i$:

(i) 

Privacy Scaling: ${ϵ}_{\mathrm{worst}}=O\left(n_{min}^{\alpha }\right)$.

(ii) 

Utility Scaling: $\mathbb{E}\left[\parallel {\mathcal{M}}_{\mathrm{dDP}}{-f\parallel }_{\mathrm{avg}}\right]=O\left({\overline{n}}^{-\alpha }\right)$.

(iii) 

Fairness Tradeoff: At $\alpha ={\displaystyle \frac{1}{2}}$:

$${\displaystyle \frac{{ϵ}_{\mathrm{worst}}}{{ϵ}_{\mathrm{avg}}}}\le \sqrt{{\displaystyle \frac{n_{max}}{n_{min}}}},{\displaystyle \frac{{\mathrm{Error}}_{max}}{{\mathrm{Error}}_{\mathrm{avg}}}}\le \sqrt{{\displaystyle \frac{n_{max}}{n_{min}}}}$$

(15)

Proof. 

Part (i): Privacy Scaling Analysis

From Lemma 2 [33], the personalized privacy budget for participant i is:

$${ϵ}_i={ϵ}_{\mathrm{total}}·{\left({\displaystyle \frac{n_i}{n_{max}}}\right)}^{\alpha }$$

The worst-case privacy protection occurs for the participant with the smallest dataset $n_{min}$ [45]:

$${ϵ}_{\mathrm{worst}}=\underset{i}{min}{ϵ}_i={ϵ}_{\mathrm{total}}·{\left({\displaystyle \frac{n_{min}}{n_{max}}}\right)}^{\alpha }$$

Since ${ϵ}_{\mathrm{total}}$ and $n_{max}$ are constants for a given federation, we have the scaling behavior [35]:

$${ϵ}_{\mathrm{worst}}=O\left(n_{min}^{\alpha }\right)$$

This establishes that the strongest privacy guarantee scales polynomially with the smallest dataset size, controlled by the fairness parameter $\alpha$ [46].

Part (ii): Utility Scaling Analysis

From Lemma 2 [33], the expected $L_2$ error for participant i is bounded by:

$$\mathbb{E}\left[\parallel {\mathcal{M}}_{\mathrm{dDP}}\left(D_i\right)-f\left(D_i\right){\parallel }_2\right]\le {\displaystyle \frac{\Delta f\sqrt{dln(1.25/\delta )}}{n_i^{\alpha }{ϵ}_{\mathrm{total}}}}$$

The average error across all participants is [44]:

$$\mathbb{E}\left[\parallel {\mathcal{M}}_{\mathrm{dDP}}{-f\parallel }_{\mathrm{avg}}\right]={\displaystyle \frac{1}{N}}\sum _{i=1}^N\mathbb{E}\left[\parallel {\mathcal{M}}_{\mathrm{dDP}}\left(D_i\right)-f\left(D_i\right){\parallel }_2\right]$$

Using the linearity of expectation and the individual error bounds [33]:

$$\mathbb{E}\left[\parallel {\mathcal{M}}_{\mathrm{dDP}}{-f\parallel }_{\mathrm{avg}}\right]\le {\displaystyle \frac{1}{N}}\sum _{i=1}^N{\displaystyle \frac{\Delta f\sqrt{dln(1.25/\delta )}}{n_i^{\alpha }{ϵ}_{\mathrm{total}}}}$$

By Jensen’s inequality for the concave function $x^{-\alpha }$ when $\alpha \in [0,1]$ [37]:

$${\displaystyle \frac{1}{N}}\sum _{i=1}^N{n}_i^{-\alpha }\le {\left({\displaystyle \frac{1}{N}}\sum _{i=1}^N{n}_i\right)}^{-\alpha }={\overline{n}}^{-\alpha }$$

Therefore [35]:

$$\mathbb{E}\left[\parallel {\mathcal{M}}_{\mathrm{dDP}}{-f\parallel }_{\mathrm{avg}}\right]\le {\displaystyle \frac{\Delta f\sqrt{dln(1.25/\delta )}}{{ϵ}_{\mathrm{total}}}}·{\overline{n}}^{-\alpha }$$

Which gives the utility scaling [46]:

$$\mathbb{E}\left[\parallel {\mathcal{M}}_{\mathrm{dDP}}{-f\parallel }_{\mathrm{avg}}\right]=O\left({\overline{n}}^{-\alpha }\right)$$

Part (iii): Fairness Tradeoff Analysis

(1) 

Privacy Fairness Ratio

At $\alpha ={\displaystyle \frac{1}{2}}$, the privacy budgets are [45]:

$${ϵ}_i={ϵ}_{\mathrm{total}}·\sqrt{{\displaystyle \frac{n_i}{n_{max}}}}$$

The average privacy budget is [44]:

$${ϵ}_{\mathrm{avg}}={\displaystyle \frac{1}{N}}\sum _{i=1}^N{ϵ}_i={\displaystyle \frac{{ϵ}_{\mathrm{total}}}{N}}\sum _{i=1}^N\sqrt{{\displaystyle \frac{n_i}{n_{max}}}}$$

The worst-case privacy budget is [33]: ${ϵ}_{\mathrm{worst}}={ϵ}_{\mathrm{total}}·\sqrt{{\displaystyle \frac{n_{min}}{n_{max}}}}$

The privacy fairness ratio is [45]:

$${\displaystyle \frac{{ϵ}_{\mathrm{worst}}}{{ϵ}_{\mathrm{avg}}}}={\displaystyle \frac{\sqrt{\frac{n_{min}}{n_{max}}}}{\frac{1}{N}{\sum }_{i=1}^N\sqrt{\frac{n_i}{n_{max}}}}}={\displaystyle \frac{\sqrt{n_{min}}}{\frac{1}{N}{\sum }_{i=1}^N\sqrt{n_i}}}$$

By the Cauchy–Schwarz inequality [35]:

$${\displaystyle \frac{1}{N}}\sum _{i=1}^N\sqrt{n_i}\ge \sqrt{{\displaystyle \frac{1}{N}}\sum _{i=1}^N{n}_i}=\sqrt{\overline{n}}$$

Therefore [35]:

$${\displaystyle \frac{{ϵ}_{\mathrm{worst}}}{{ϵ}_{\mathrm{avg}}}}\le {\displaystyle \frac{\sqrt{n_{min}}}{\sqrt{\overline{n}}}}\le \sqrt{{\displaystyle \frac{n_{min}}{n_{min}}}}·\sqrt{{\displaystyle \frac{n_{max}}{n_{max}}}}\le \sqrt{{\displaystyle \frac{n_{max}}{n_{min}}}}$$

where the last inequality follows from $\overline{n}\ge n_{min}$ and the ordering $n_{min}\le \overline{n}\le n_{max}$ [44].

(2) 

Utility Fairness Ratio

The maximum error occurs for the participant with the smallest dataset [33]:

$${\mathrm{Error}}_{max}={\displaystyle \frac{\Delta f\sqrt{dln(1.25/\delta )}}{n_{min}^{\alpha }{ϵ}_{\mathrm{total}}}}$$

The average error is bounded by [44]: ${\mathrm{Error}}_{\mathrm{avg}}\ge {\displaystyle \frac{\Delta f\sqrt{dln(1.25/\delta )}}{{\overline{n}}^{\alpha }{ϵ}_{\mathrm{total}}}}$

At $\alpha ={\displaystyle \frac{1}{2}}$, the error ratio is [45]:

$${\displaystyle \frac{{\mathrm{Error}}_{max}}{{\mathrm{Error}}_{\mathrm{avg}}}}\le {\displaystyle \frac{n_{min}^{-1/2}}{{\overline{n}}^{-1/2}}}=\sqrt{{\displaystyle \frac{\overline{n}}{n_{min}}}}$$

Since $\overline{n}\le n_{max}$ [35], we have:

$${\displaystyle \frac{{\mathrm{Error}}_{max}}{{\mathrm{Error}}_{\mathrm{avg}}}}\le \sqrt{{\displaystyle \frac{n_{max}}{n_{min}}}}$$

(3) 

Fairness Interpretation

The bound $\sqrt{{\displaystyle \frac{n_{max}}{n_{min}}}}$ represents the fundamental fairness limit in heterogeneous federated learning [45]. When dataset sizes vary significantly, this ratio grows, indicating increased disparity. The square root dependence at $\alpha ={\displaystyle \frac{1}{2}}$ provides a balanced tradeoff between privacy and utility fairness [46].

(4) 

Clinical Relevance

In healthcare applications, this fairness analysis ensures that smaller hospitals (with $n_{min}$ records) are not disproportionately disadvantaged while maintaining collaborative benefits [48]. The square root scaling provides a principled compromise aligned with the “minimum necessary” principle in healthcare data sharing [47].    □

Remark 7. 

The clinical scaling laws establish that [33,45,46]: Privacy protection strengthens for smaller datasets ($O\left(n_{min}^{\alpha }\right)$), utility improves with average dataset size ($O\left({\overline{n}}^{-\alpha }\right)$), the $\alpha ={\displaystyle \frac{1}{2}}$ point provides optimal fairness balancing, and healthcare federations should consider dataset size disparities when designing collaborative frameworks.

Remark 8 

(Clinical Deployment). For medical FL:

(i) 

Small Hospital Protection: $beginequation)Pr\left[\mathrm{Breach}\right]\le \delta +exp\left(-{\displaystyle \frac{n_i^{2\alpha }{ϵ}_{\mathrm{total}}^2}{2{\Delta }_{\pi }^2}}\right)$.

(ii) 

Noise-Calibration: $beginequation)\mathrm{SNR}\ge {\displaystyle \frac{n_i^{\alpha }{ϵ}_{\mathrm{total}}}{{\Delta }_f\sqrt{2ln(1.25/\delta )}}}$.

(iii) 

Compliance: For HIPAA ($ϵ=1.0$, $\delta ={10}^{-5}$, $\alpha =0.5$): $beginequation)n_i\ge {\left({\displaystyle \frac{{\Delta }_f\sqrt{2ln(1.25\times {10}^5)}}{C}}\right)}^2$.

The dDP framework extends standard DP with adaptive protection:

$${\mathcal{M}}_{\mathrm{dDP}}\left(D_i\right)=f\left(D_i\right)+\mathcal{N}\left(0,{\sigma }_i^2\right),{\sigma }_i={\displaystyle \frac{\Delta f\sqrt{2ln(1.25/\delta )}}{{ϵ}_{\mathrm{total}}{(n_i/n_{max})}^{\alpha }}}$$

(16)

The Federated Distillation (FD) procedure is formalized in Algorithm 3, which details the secure aggregation of local logits, the injection of calibrated noise for differential privacy, and the subsequent distillation of a global model.

Algorithm 3 Federated Distillation (FD) with Local Models
Require: $H=\{M_1,\dots ,M_n\}$: Local models with architectures ${\left\{{\pi }_i\right\}}_{i=1}^n$
Require: $X_{\mathrm{pub}}$: Public dataset ($|X_{\mathrm{pub}}|=m$ samples)
Require: T: Communication rounds (default $T=1$)
Require: $ϵ$: Privacy budget (from Lemma 1)
Ensure: $GM$: Global model satisfying $(ϵ,\delta )$-differential privacy
1:	Input: $H=\{M_1,\dots ,M_n\}$, $X_{\mathrm{pub}}$, T, $ϵ$
2:	Output: $GM$: Global model satisfying $(ϵ,\delta )$-differential privacy
3:	Initialize $\sigma \leftarrow {\displaystyle \frac{{\Delta }_{\pi }\sqrt{2log(1.25/\delta )}}{Nϵ}}$                ▹ Noise scale per Lemma 1
4:	for each round $t=1$ to T do
5:	$L\leftarrow \varnothing$, $\mathcal{V}\leftarrow \varnothing$                        ▹ Logits and validation sets
6:	for each hospital $h\in H$ in parallel do
7:	$L_h\leftarrow M_h.\mathrm{predict}\left(X_{\mathrm{pub}}\right)$                    ▹ Logit computation
8:	$L_h\leftarrow L_h+\mathcal{N}(0,{\sigma }^2\mathbf{I})$              ▹ Differential privacy noise injection
9:	$L\leftarrow L\cup \left\{L_h\right\}$
10:	$\mathcal{V}\leftarrow \mathcal{V}\cup \mathrm{Validate}\left(M_h\right)$                         ▹ Per Remark 4
11:	$L_{\mathrm{avg}}\leftarrow {\displaystyle \frac{1}{n}}{\sum }_{i=1}^n{L}_i$                           ▹ Aggregation
12:	for each hospital $h\in H$ do
13:	if ${\pi }_h\in \mathrm{TreeBasedModels}$ then
14:	$y_{\mathrm{pseudo}}\leftarrow \mathrm{argmax}\left(L_{\mathrm{avg}}\right)$
15:	$M_h\leftarrow \mathrm{Train}(X_{\mathrm{pub}},y_{\mathrm{pseudo}})$
16:	else
17:	$M_h\leftarrow \mathrm{Train}(X_{\mathrm{pub}},L_{\mathrm{avg}})$              ▹ KL-divergence minimization
18:	$B_h\leftarrow (M_h,{\sigma }_h)$                  ▹ Blockchain storage per Definition 3
19:	$\lambda \leftarrow {\displaystyle \frac{{\sigma }_{min}^2}{{\Delta }_{\pi }^2}}exp\left(-{\displaystyle \frac{2R{\Delta }_{\pi }}{{\sigma }_{min}}}\right)$             ▹ Convexity parameter from Remark 4
20:	$GM\leftarrow \mathrm{EnsembleSelect}(H,\mathcal{V})$                   ▹ Optimal model selection
21:	return GM

Figure 5 illustrates the workflow of the dynamic differential privacy (dDP) mechanism, which adaptively calibrates noise injection based on data sensitivity levels. Algorithm 4 provides:

Figure 5. dDP mechanism flowchart.

• Model-Specific Perturbation:

  – 

  Linear: Full Gaussian noise.

  – 

  Tree-based: Truncated Gaussian.

  – 

  DNN: Layer-wise scaled noise.

• Clinical Benefits:

  – 

  Institutional fairness: $\alpha =0.5$ balance.

  – 

  Utility preservation: Maintains diagnostic SNR.

  – 

  Regulatory compliance: HIPAA standards.

Remark 9. 

Clinical validation [20] confirms dDP preserves 98% accuracy with formal guarantees.

The key differences between standard and dynamic DP are summarized in Table 3.

Algorithm 4 Adaptive dDP for Healthcare FL
Require: ${\left\{{\mathbf{w}}_i\right\}}_{i=1}^N$: Local model weights
Require: ${\left\{n_i\right\}}_{i=1}^N$: Dataset sizes
Require: ${ϵ}_{\mathrm{total}}$: Total privacy budget
Require: $\delta$: Privacy parameter
Require: $\alpha$: Scaling factor
Ensure: $\left\{{\tilde{\mathbf{w}}}_i\right\}$: Perturbed weights satisfying Lemma 2
1:	Input: ${\left\{{\mathbf{w}}_i\right\}}_{i=1}^N$, ${\left\{n_i\right\}}_{i=1}^N$, ${ϵ}_{\mathrm{total}}$, $\delta$, $\alpha$
2:	Output: $\left\{{\tilde{\mathbf{w}}}_i\right\}$: Perturbed weights satisfying Lemma 2
3:	$n_{max}\leftarrow max\left(\left\{n_i\right\}\right)$
4:	${\Delta }_f\leftarrow \mathrm{ComputeSensitivity}\left(\left\{{\mathbf{w}}_i\right\}\right)$
5:	for each hospital i do
6:	${ϵ}_i\leftarrow {ϵ}_{\mathrm{total}}·{(n_i/n_{max})}^{\alpha }$
7:	${\sigma }_i\leftarrow {\Delta }_f\sqrt{2ln(1.25/\delta )}/{ϵ}_i$
8:	if linear model then
9:	${\tilde{\mathbf{w}}}_i\leftarrow {\mathbf{w}}_i+\mathcal{N}(0,{\sigma }_i^2\mathbf{I})$
10:	else if tree-based then
11:	${\tilde{\mathbf{w}}}_i\leftarrow {\mathbf{w}}_i+\mathrm{TruncatedGaussian}(0,{\sigma }_i^2,[0,\infty ])$
12:	else                                      ▹ DNN
13:	for layer $l=1$ to L do
14:	${\tilde{\mathbf{w}}}_{i,l}\leftarrow {\mathbf{w}}_{i,l}+\mathcal{N}(0,{({\sigma }_i/\sqrt{L})}^2\mathbf{I})$
15:	return  $\left\{{\tilde{\mathbf{w}}}_i\right\}$

Table 3. Standard DP vs. dDP.

Metric	Standard DP	dDP
Privacy Fairness	Uniform $ϵ$	Adaptive ${ϵ}_i$
Utility Variance	High	Reduced
Small-Data Protection	None	Enhanced
Clinical Compliance	Limited	HIPAA-ready

3.3. Decentralized Threshold Key-Sharing Protocol

Definition 6 

(Privacy-Preserving Threshold System). A $\mathcal{PPTS}(n,t,\kappa )$ consists of:

• Key space $\mathcal{K}={\mathbb{F}}_p$ where $p>2^{2\kappa }$
• Share space $\mathcal{S}={\mathbb{F}}_p\times \left[n\right]$
• Privacy mechanism   $\mathcal{M}:\mathcal{K}\times \mathcal{R}\to {\mathcal{S}}^n$

such that for all $K\in \mathcal{K}$ and $\mathcal{C}\subset \left[n\right]$ with $\left|\mathcal{C}\right|<t$:

$$Pr\left[\mathcal{M}{(K,r)}_{\mathcal{C}}={\left(S_j\right)}_{j\in \mathcal{C}}\right]={\displaystyle \frac{1}{{\left|\mathcal{S}\right|}^{\left|\mathcal{C}\right|}}}$$

(17)

Definition 7 

(Blockchain-Enhanced Threshold Scheme). $\mathcal{BETS}=(\mathsf{Setup},\mathsf{Share},\mathsf{Recon},$$\mathsf{Verify})$ extends $\mathcal{PPTS}$ with:

• Blockchain state  $B=(b_1,\dots ,b_k)$ where $b_i=⟨h_{i-1},{\mathsf{Tx}}_i,{\sigma }_i,\mathsf{Nonce}⟩$.
• Verification oracle  ${\mathcal{O}}_{\mathsf{Verify}}$ checking $\mathsf{Verify}(PK,h(M),\sigma )=1$.

Assumption 2 

(Adversarial Capabilities). Adversary $\mathcal{A}$:

1. 

Controls at most $t-1$ participants.

2. 

Has query access to ${\mathcal{O}}_{\mathsf{Verify}}$.

3. 

Cannot break cryptographic primitives:

$$\begin{array}{cc}\hfill {\mathsf{Adv}}_{\mathsf{AES}-\mathsf{256}}^{\mathsf{IND}-\mathsf{CPA}}(\mathcal{A};\kappa )& \le {\displaystyle \frac{q^2}{2^{256}}}+{\displaystyle \frac{q_{\mathrm{enc}}}{2^{\kappa }}}\hfill \end{array}$$

(18)

$$\begin{array}{cc}\hfill {\mathsf{Adv}}_{\mathsf{ECDSA}}^{\mathsf{EUF}-\mathsf{CMA}}(\mathcal{A};\kappa )& \le {\displaystyle \frac{q_{\mathrm{sig}}(q_{\mathrm{sig}}+q_h)}{2^{\kappa }}}+{\mathsf{Adv}}_{\mathsf{DL}}\left(\mathcal{G}\right)\hfill \end{array}$$

(19)

Lemma 3 

(Threshold Key-Sharing Security). For $\mathcal{P}=(\mathsf{Gen},\mathsf{Share},\mathsf{Recon},\mathsf{Verify})$ under Assumption 2:

(T1) 

Information-Theoretic Secrecy: For $\left|\mathcal{C}\right|=t-1$:

$${∥Pr[\mathcal{M}{\left(K\right)}_{\mathcal{C}}=·]-{\mathcal{U}}_{{\mathcal{S}}^{t-1}}∥}_{\mathsf{TV}}=0$$

(20)

(T2) 

Computational Robustness: For $\left|\mathcal{T}\right|\ge t+\lceil {log}_2\kappa \rceil$:

$$Pr\left[\mathsf{Recon}\left({\left\{S_j\right\}}_{j\in \mathcal{T}}\right)\ne K\wedge \forall j:\mathsf{Verify}(PK,S_j,{\sigma }_j)=1\right]\le e^{-{\displaystyle \frac{{\left(\right|\mathcal{T}|-t+1)}^3}{{3\left|\mathcal{T}\right|}^2}}}+\mathsf{negl}\left(\kappa \right)$$

(21)

(T3) 

Blockchain-Indistinguishable Consistency: For $M_0,M_1$ with $\parallel h\left(M_0\right)-h\left(M_1\right)\parallel \ge 2^{\kappa }$:

$$\left|Pr[\mathcal{A}\left(B_{M_0}\right)=1]-Pr[\mathcal{A}\left(B_{M_1}\right)=1]\right|\le {\displaystyle \frac{1}{2^{\kappa }}}$$

(22)

Proof. 

Part (T1): Information-Theoretic Secrecy

(1) 

Shamir’s Secret Sharing Foundation

The threshold scheme is based on Shamir’s secret sharing [50], where a secret K is encoded as the constant term of a degree $(t-1)$ polynomial:

$$f\left(x\right)=K+a_{1}x+a_2{x}^2+\cdots +a_{t-1}{x}^{t-1}modp$$

(2) 

Perfect Secrecy Property

For any coalition $\mathcal{C}$ of size $\left|\mathcal{C}\right|=t-1$, the shares $\{S_j=f\left(j\right):j\in \mathcal{C}\}$ provide no information about K [50]. This follows from the fact that:

Given $t-1$ points, there exists exactly one polynomial of degree $t-1$ passing through these points for each possible value of K. Therefore:

$$Pr[K=k\mid {\left\{S_j\right\}}_{j\in \mathcal{C}}]=Pr[K=k]\forall k\in \mathcal{K}$$

(3) 

Total Variation Distance

The total variation distance between the distribution of shares and the uniform distribution is [51]:

$${∥Pr[\mathcal{M}{\left(K\right)}_{\mathcal{C}}=·]-{\mathcal{U}}_{{\mathcal{S}}^{t-1}}∥}_{\mathsf{TV}}={\displaystyle \frac{1}{2}}\sum _{s\in {\mathcal{S}}^{t-1}}\left|Pr[\mathcal{M}{\left(K\right)}_{\mathcal{C}}=s]-{\displaystyle \frac{1}{{\left|\mathcal{S}\right|}^{t-1}}}\right|$$

Since the shares are uniformly distributed over ${\mathcal{S}}^{t-1}$ for any fixed K [50], we have:

$$Pr[\mathcal{M}{\left(K\right)}_{\mathcal{C}}=s]={\displaystyle \frac{1}{{\left|\mathcal{S}\right|}^{t-1}}}\forall s\in {\mathcal{S}}^{t-1}$$

Therefore: ${∥Pr[\mathcal{M}{\left(K\right)}_{\mathcal{C}}=·]-{\mathcal{U}}_{{\mathcal{S}}^{t-1}}∥}_{\mathsf{TV}}=0$

Part (T2): Computational Robustness

(1) 

Error Correction with Redundancy

When $\left|\mathcal{T}\right|\ge t+\lceil {log}_2\kappa \rceil$, we have redundancy that enables error correction. The reconstruction can tolerate up to $\lfloor \left(\right|\mathcal{T}|-t)/2\rfloor$ erroneous shares.

(2) 

Berlekamp–Welch Decoding

Using the Berlekamp–Welch algorithm for Reed–Solomon codes [52], the probability of decoding failure when all shares pass verification is bounded by:

For a set of $\left|\mathcal{T}\right|$ shares with at most e errors, where $2e\le \left|\mathcal{T}\right|-t$, the decoding succeeds with probability 1. However, when shares pass verification but contain subtle errors, we use probabilistic analysis [53]:

$$Pr[\mathrm{decoding}\mathrm{failure}\mid \mathrm{all}\mathrm{verify}]\le e^{-{\displaystyle \frac{{\left(\right|\mathcal{T}|-t+1)}^3}{{3\left|\mathcal{T}\right|}^2}}}$$

(3) 

Cryptographic Verification

The verification process uses ECDSA signatures [54]: $\mathsf{Verify}(PK,S_j,{\sigma }_j)=1\Rightarrow \mathrm{share}{S}_j\mathrm{is}\mathrm{authentic}$.

The probability that an adversary forges a signature is negligible in the security parameter $\kappa$ [55]: $Pr\left[\mathrm{forgery}\right]\le \mathsf{negl}\left(\kappa \right)$.

(4) 

Combined Robustness Bound

Combining the decoding failure probability and signature forgery probability using union bound [43]:

$$Pr\left[\mathsf{Recon}\left({\left\{S_j\right\}}_{j\in \mathcal{T}}\right)\ne K\wedge \forall j:\mathsf{Verify}(PK,S_j,{\sigma }_j)=1\right]\le e^{-{\displaystyle \frac{{\left(\right|\mathcal{T}|-t+1)}^3}{{3\left|\mathcal{T}\right|}^2}}}+\mathsf{negl}\left(\kappa \right)$$

Part (T3): Blockchain-Indistinguishable Consistency

(1) 

Cryptographic Hash Properties

The blockchain uses cryptographic hash function $h:{\{0,1\}}^{*}\to {\{0,1\}}^{\kappa }$ with collision resistance [56]:

$$Pr[h\left(M_0\right)=h\left(M_1\right)\mid M_0\ne M_1]\le \mathsf{negl}\left(\kappa \right)$$

(2) 

Indistinguishability Game

Consider the following indistinguishability game [55]:

1.

Adversary $\mathcal{A}$ outputs messages $M_0,M_1$ with $\parallel h\left(M_0\right)-h\left(M_1\right)\parallel \ge 2^{\kappa }$.

2.

Challenger picks $b\stackrel{\$}{\leftarrow }\{0,1\}$ and gives $\mathcal{A}$ the blockchain $B_{M_b}$.

3.

$\mathcal{A}$ outputs guess $b^{\prime }$.

(3) 

Statistical Distance Analysis

The statistical distance between the distributions of $B_{M_0}$ and $B_{M_1}$ is bounded by the collision probability of the hash function [51]:

$$\left|Pr[\mathcal{A}\left(B_{M_0}\right)=1]-Pr[\mathcal{A}\left(B_{M_1}\right)=1]\right|\le {\displaystyle \frac{1}{2}}\sum _B\left|Pr[B_{M_0}=B]-Pr[B_{M_1}=B]\right|$$

(4) 

Hash Function Security

Since $\parallel h\left(M_0\right)-h\left(M_1\right)\parallel \ge 2^{\kappa }$, the hash outputs are statistically far apart. For a cryptographically secure hash function [56]:

$$\left|Pr[\mathcal{A}\left(B_{M_0}\right)=1]-Pr[\mathcal{A}\left(B_{M_1}\right)=1]\right|\le {\displaystyle \frac{1}{2^{\kappa }}}+\mathsf{negl}\left(\kappa \right)$$

The negligible term accounts for potential adversarial advantages against the hash function [55].

(5) 

Blockchain-Specific Considerations

The blockchain consistency property relies on the immutability of the hash chain [30]. Once a block containing $h\left(M\right)$ is committed, any modification would require recomputing the entire chain, which is computationally infeasible [57].    □

Remark 10. 

The threshold key-sharing security lemma establishes: Perfect secrecy against coalitions smaller than threshold [50], computational robustness against malicious share submission, and blockchain consistency through cryptographic hashing [30].

Corollary 3 

(Composition with Federated Framework). When integrated with FD (Lemma 1) and dDP (Lemma 2):

$$I\left({\tilde{M}}_i;{\left\{{\mathsf{View}}_j\right\}}_{j\ne i}\right)\le min\left(ϵ,{\displaystyle \frac{t-1}{n}}\right)·\left({\Delta }_{\pi }+{\displaystyle \frac{{\Delta }_f}{{ϵ}_{\mathrm{total}}}}\right)$$

(23)

Proof. 

(1) 

Mutual Information Decomposition

We analyze the mutual information between the global model ${\tilde{M}}_i$ and the views of other participants ${\left\{{\mathsf{View}}_j\right\}}_{j\ne i}$ [51]:

$$I\left({\tilde{M}}_i;{\left\{{\mathsf{View}}_j\right\}}_{j\ne i}\right)=H\left({\tilde{M}}_i\right)-H({\tilde{M}}_i\mid {\left\{{\mathsf{View}}_j\right\}}_{j\ne i})$$

where $H(·)$ denotes the Shannon entropy [58].

(2) 

Federated Distillation Privacy Contribution

From Lemma 1 [33], the federated distillation mechanism provides $(ϵ,\delta )$-differential privacy. By the information-theoretic interpretation of differential privacy [59], we have:

$$I_{\mathrm{FD}}\left({\tilde{M}}_i;{\left\{{\mathsf{View}}_j\right\}}_{j\ne i}\right)\le ϵ·{\Delta }_{\pi }$$

where ${\Delta }_{\pi }={max}_{i,j}{\parallel f_i-f_j\parallel }_{\infty }$ represents the maximum model divergence [40].

(3) 

Threshold Cryptography Privacy Contribution

From Lemma 3 [50], the threshold key-sharing scheme provides information-theoretic secrecy against coalitions of size $t-1$. The information leakage is bounded by:

$$I_{\mathrm{threshold}}\left({\tilde{M}}_i;{\left\{{\mathsf{View}}_j\right\}}_{j\ne i}\right)\le {\displaystyle \frac{t-1}{n}}·H\left({\tilde{M}}_i\right)$$

Since the maximum entropy is bounded by the model complexity, we can express this as:

$$I_{\mathrm{threshold}}\left({\tilde{M}}_i;{\left\{{\mathsf{View}}_j\right\}}_{j\ne i}\right)\le {\displaystyle \frac{t-1}{n}}·{\Delta }_f$$

where ${\Delta }_f$ is the function sensitivity from Lemma 2 [33].

(4) 

Dynamic Differential Privacy Contribution

From Lemma 2 [33], the dynamic differential privacy mechanism provides personalized privacy guarantees. The mutual information is bounded by [59]:

$$I_{\mathrm{dDP}}\left({\tilde{M}}_i;{\left\{{\mathsf{View}}_j\right\}}_{j\ne i}\right)\le {\displaystyle \frac{{\Delta }_f}{{ϵ}_{\mathrm{total}}}}$$

This follows from the Gaussian mechanism analysis where the noise variance ${\sigma }_i^2={\displaystyle \frac{{\Delta }_f^2}{{ϵ}_i^2}}$ controls the information leakage [34].

(5) 

Composition of Privacy Mechanisms

We now compose the three privacy mechanisms using the composition theorem for mutual information [51]. Since the mechanisms operate on different aspects of the system, we use the maximum leakage principle [60]:

$$I\left({\tilde{M}}_i;{\left\{{\mathsf{View}}_j\right\}}_{j\ne i}\right)\le max\left(I_{\mathrm{FD}},I_{\mathrm{threshold}},I_{\mathrm{dDP}}\right)$$

However, a tighter bound can be obtained by considering the additive nature of information leakage [33]:

$$I\left({\tilde{M}}_i;{\left\{{\mathsf{View}}_j\right\}}_{j\ne i}\right)\le I_{\mathrm{FD}}+I_{\mathrm{threshold}}+I_{\mathrm{dDP}}$$

(6) 

Minimum Operator Justification

The min operator appears because the federated distillation and threshold cryptography provide complementary protection [49]:

–

Federated distillation protects against model inversion attacks [28].

–

Threshold cryptography protects against collusion attacks [50].

–

The overall privacy is determined by the weaker of the two mechanisms.

Therefore, we take the minimum of the two primary protection mechanisms [45]:

$$min\left(ϵ,{\displaystyle \frac{t-1}{n}}\right)$$

(7) 

Sensitivity Term Combination

The sensitivity terms ${\Delta }_{\pi }$ and ${\Delta }_f$ represent different aspects of the system [33]:

–

${\Delta }_{\pi }$: Model architecture divergence in federated distillation [40].

–

${\Delta }_f$: Function sensitivity in differential privacy [33].

These terms are additive because they affect different components of the information leakage [60]:

$${\Delta }_{\pi }+{\displaystyle \frac{{\Delta }_f}{{ϵ}_{\mathrm{total}}}}$$

The ${ϵ}_{\mathrm{total}}$ in the denominator reflects that stronger privacy (smaller $ϵ$) reduces the information leakage from the dDP mechanism [34].

(8) 

Final Bound Derivation

Combining all components using the product form for composed mechanisms [49]:

$$I\left({\tilde{M}}_i;{\left\{{\mathsf{View}}_j\right\}}_{j\ne i}\right)\le min\left(ϵ,{\displaystyle \frac{t-1}{n}}\right)·\left({\Delta }_{\pi }+{\displaystyle \frac{{\Delta }_f}{{ϵ}_{\mathrm{total}}}}\right)$$

This bound follows from the composition theorem for heterogeneous privacy mechanisms [59], where the overall privacy guarantee is the minimum of individual guarantees multiplied by the combined sensitivity.

(9) 

Clinical Federation Interpretation

In healthcare federations, this bound ensures that [48]:

–

Small hospitals (${\displaystyle \frac{t-1}{n}}$ protection) are protected against collusion.

–

All participants benefit from differential privacy ($ϵ$ protection).

–

The “minimum necessary” principle is maintained [47].

• □

Remark 11. 

The composition corollary establishes that:

• Federated learning privacy composes multiplicatively with threshold cryptography [49].
• The overall privacy is determined by the weakest protection mechanism [33].
• Healthcare federations can tune parameters $(ϵ,t,n)$ to achieve desired privacy levels [45].

Remark 12 

(Security–Privacy Tradeoffs). Three fundamental tradeoffs:

1. 

Privacy vs. Robustness:

$$\mathit{Leakage}\times \mathit{Error}\ge {\displaystyle \frac{t-1}{n}}·e^{-{\displaystyle \frac{{(n-t)}^3}{3n^2}}}=\Omega \left({\displaystyle \frac{1}{\sqrt{n}}}\right)$$

(24)

2. 

Communication–Computation Overhead:

$$\mathit{Comm}\times \mathit{Comp}=\tilde{O}\left(n^3{\kappa }^2\right)$$

(25)

3. 

Cryptographic Compatibility:

$${\mathsf{Adv}}_{\mathsf{AES}}+{\mathsf{Adv}}_{\mathsf{ECDSA}}\le {\displaystyle \frac{1}{2^{\kappa }}}\ll min\left(ϵ,{\displaystyle \frac{t-1}{n}}\right)$$

(26)

Practical guidelines:

• For $ϵ\approx 1$, choose $t\approx n/2$.
• When ${\Delta }_{\pi }\gg {\Delta }_f$, increase ${ϵ}_{\mathrm{total}}$.
• Set $\kappa =256$ for AES-256/secp256k1 compatibility.

3.3.1. Architecture and Security Analysis

Protocol enables n hospitals to securely share models via:

• Privacy-Preserving Threshold System (Definition 6): $(t,n)$-Shamir sharing over ${\mathbb{F}}_p$, $p>2^{2\kappa +1}$.
• Blockchain-Enhanced Threshold Scheme (Definition 7): ECDSA with ${\mathsf{Adv}}_{\mathsf{ECDSA}}^{\mathsf{EUF}-\mathsf{CMA}}\left(\kappa \right)$$\le \mathsf{negl}\left(\kappa \right)$.
• Quantum-Resistant Encryption: AES-256-GCM with ${\mathsf{Adv}}_{\mathsf{AES}}^{\mathsf{IND}-\mathsf{CPA}}\left(\kappa \right)<2^{-128}$.

Protocol Workflow:

1.

Submission Phase (Figure 6):

Figure 6. Submission phase: Model encryption, share generation, blockchain commitment.

• $K_i\stackrel{\$}{\leftarrow }{\{0,1\}}^{256}$, $C_i\leftarrow {\mathsf{Enc}}_{\mathsf{AES}}^{K_i}\left(M_i\right)$.
• Polynomial $f\left(x\right)=K_i+{\sum }_{k=1}^{t-1}{a}_k{x}^k$ generates shares ${\{S_j=(f\left(j\right),{\sigma }_j)\}}_{j=1}^n$.

2.

Access Phase (Figure 7):

Figure 7. Access phase: Share verification, Lagrange interpolation, model decryption.

• Minimum $t+\lceil {log}_2\kappa \rceil$ valid shares required (Lemma 3 (T2)).
• Key reconstruction via $K_i={\sum }_{j\in \mathcal{T}}{S}_j{\prod }_{m\in \mathcal{T}\setminus \left\{j\right\}}{\displaystyle \frac{m}{m-j}}$.

Security Guarantees (Corollary 4):

• Perfect Secrecy: For $\left|\mathcal{C}\right|<t$:

  $$\forall K:D_{\mathsf{KL}}(\mathcal{M}{\left(K\right)}_{\mathcal{C}}\Vert \mathcal{U})=0$$
• Adaptive Robustness:

  $$Pr\left[\mathsf{ReconErr}\right|\mathsf{VerifyAll}]\le e^{-{\displaystyle \frac{{\left(\right|\mathcal{T}|-t+1)}^3}{{3\left|\mathcal{T}\right|}^2}}}$$
• Compositional Privacy:

  $$I({\tilde{M}}_i;\mathsf{View})\le min(ϵ,\frac{t-1}{n})({\Delta }_{\pi }+\frac{{\Delta }_f\sqrt{dln(1/\delta )}}{ϵ})$$

Benchmarks show 1.7 ± 0.3 ms access latency, preventing attacks in centralized schemes [50] and FL [61].

Corollary 4 

(Protocol Security Properties). For Algorithm 5 under Assumption 2:

(C1) 

Perfect Secrecy: For $\left|\mathcal{C}\right|<t$: $beginequation)\forall K:D_{\mathsf{KL}}(\mathcal{M}{\left(K\right)}_{\mathcal{C}}\Vert \mathcal{U})=0$)

(C2) 

Robustness: For $\left|\mathcal{T}\right|\ge t+\lceil {log}_2\kappa \rceil$: $beginequation)Pr[\mathsf{ReconErr}\wedge \mathsf{VerifyAll}]\le e^{-\Omega \left(\kappa \right)}$

(C3) 

Composition: With Lemmas 1 and 2: $beginequation)I({\tilde{M}}_i;\mathsf{View})\le {ϵ}_{\mathrm{comp}}=min(ϵ,\frac{t-1}{n})$$({\Delta }_{\pi }+\frac{{\Delta }_f\sqrt{dln(1/\delta )}}{ϵ})$

Algorithm 5 Enhanced Decentralized Threshold Key-Sharing with FD
Require: $\mathcal{H}=\{H_1,\dots ,H_n\}$: Hospital set
Require: t: Threshold value
Require: $\kappa =256$: Security parameter
Require: ${\left\{M_i\right\}}_{i=1}^n$: Local models
Require: ${ϵ}_{\mathrm{total}}$: Total privacy budget
Ensure: ${\tilde{M}}_i$: Global model satisfying $({ϵ}_{\mathrm{comp}},\delta )$-DP
1:	Input: $\mathcal{H}=\{H_1,\dots ,H_n\}$, t, $\kappa$, ${\left\{M_i\right\}}_{i=1}^n$, ${ϵ}_{\mathrm{total}}$
2:	Output: ${\tilde{M}}_i$: Global model satisfying $({ϵ}_{\mathrm{comp}},\delta )$-DP
3:	Phase 1: Setup
4:	for each $H_j\in \mathcal{H}$ do
5:	$(P{K}_j,S{K}_j)\leftarrow \mathsf{ECDSA}.\mathsf{Gen}\left(1^{\kappa }\right)$
6:	$(P{K}_j^{\mathsf{PQC}},S{K}_j^{\mathsf{PQC}})\leftarrow \mathsf{Kyber}.\mathsf{Gen}\left(1^{\kappa }\right)$
7:	$\mathsf{Register}(P{K}_j,P{K}_j^{\mathsf{PQC}})$ on blockchain
8:	Phase 2: Model Preparation
9:	$K_i\stackrel{\$}{\leftarrow }{\{0,1\}}^{256}$, $C_i\leftarrow \mathsf{AES}-\mathsf{256}-\mathsf{GCM}.\mathsf{Enc}(K_i,M_i)$
10:	${\mathsf{CID}}_i\leftarrow \mathsf{IPFS}.\mathsf{Store}\left(C_i\right)$
11:	$f\left(x\right)=K_i+{\sum }_{k=1}^{t-1}{a}_k{x}^k$ where $a_k\stackrel{\$}{\leftarrow }{\mathbb{F}}_p$
12:	for $j\leftarrow 1$ to n do
13:	$S_j\leftarrow (f\left(j\right),{\sigma }_j=\mathsf{ECDSA}.\mathsf{Sign}(S{K}_i,f\left(j\right)))$
14:	${\pi }_j\leftarrow \mathsf{ZK}-\mathsf{Prove}\left(f\left(j\right)\mathrm{valid}\right)$
15:	$\mathsf{StoreShare}(H_j,\mathsf{Kyber}.\mathsf{Enc}(P{K}_j^{\mathsf{PQC}},S_j),{\pi }_j)$
16:	Phase 3: Reconstruction
17:	$\mathcal{T}\leftarrow \{S_j\mid \mathsf{Verify}(P{K}_j,S_j)\wedge \mathsf{ZK}-\mathsf{Verify}\left({\pi }_j\right)\}$
18:	if $\left|\mathcal{T}\right|<t+\lceil {log}_2\kappa \rceil$  then  return ⊥
19:	$K_i^{\prime }\leftarrow \mathsf{LagrangeInterpolate}\left(\mathcal{T}\right)$
20:	$M_i^{\prime }\leftarrow \mathsf{AES}-\mathsf{256}-\mathsf{GCM}.\mathsf{Dec}(K_i^{\prime },\mathsf{IPFS}.\mathsf{Get}\left({\mathsf{CID}}_i\right))$
21:	Phase 4: Aggregation
22:	$\left\{{\mathbf{L}}_j\right\}\leftarrow \mathsf{FetchLogits}\left(\mathcal{T}\right)$
23:	${ϵ}_j\leftarrow {ϵ}_{\mathrm{total}}·\left(\right|{\mathcal{D}}_j|/|{\mathcal{D}}_{max}{\left|\right)}^{\alpha }$
24:	${\mathbf{L}}_{\mathrm{avg}}\leftarrow {\displaystyle \frac{1}{\left|\mathcal{T}\right|}}{\sum }_j{\mathbf{L}}_j+\mathcal{N}(0,2{\Delta }_f^{2}ln(1.25/\delta )/{ϵ}_j^2)$
25:	${\tilde{M}}_i\leftarrow \mathsf{Distill}(M_i^{\prime },{\mathbf{L}}_{\mathrm{avg}})$
26:	Phase 5: Validation
27:	$\mathsf{CommitToChain}(\mathsf{hash}\left({\tilde{M}}_i\right),{\{{\sigma }_j,{\pi }_j\}}_{j\in \mathcal{T}})$
28:	return ${\tilde{M}}_i$

Proof. 

Part (C1): Perfect Secrecy

(1) 

Kullback–Leibler Divergence Definition

The Kullback–Leibler divergence between two probability distributions P and Q is defined as [62]:

$$D_{\mathsf{KL}}(P\Vert Q)=\sum _{x}P\left(x\right)log{\displaystyle \frac{P\left(x\right)}{Q\left(x\right)}}$$

(2) 

Shamir’s Secret Sharing Property

For Shamir’s secret sharing scheme [50], any coalition $\mathcal{C}$ with $\left|\mathcal{C}\right|<t$ shares has a uniform distribution over the share space. That is:

$$Pr[\mathcal{M}{\left(K\right)}_{\mathcal{C}}=s]={\displaystyle \frac{1}{{\left|\mathcal{S}\right|}^{\left|\mathcal{C}\right|}}}\forall s\in {\mathcal{S}}^{\left|\mathcal{C}\right|},\forall K\in \mathcal{K}$$

(3) 

Uniform Distribution Property

The uniform distribution $\mathcal{U}$ over ${\mathcal{S}}^{\left|\mathcal{C}\right|}$ satisfies:

$$\mathcal{U}\left(s\right)={\displaystyle \frac{1}{{\left|\mathcal{S}\right|}^{\left|\mathcal{C}\right|}}}\forall s\in {\mathcal{S}}^{\left|\mathcal{C}\right|}$$

(4) 

KL Divergence Calculation

Substituting into the KL divergence formula [51]:

$$D_{\mathsf{KL}}(\mathcal{M}{\left(K\right)}_{\mathcal{C}}\Vert \mathcal{U})=\sum _{s\in {\mathcal{S}}^{\left|\mathcal{C}\right|}}{\displaystyle \frac{1}{{\left|\mathcal{S}\right|}^{\left|\mathcal{C}\right|}}}log{\displaystyle \frac{\frac{1}{{\left|\mathcal{S}\right|}^{\left|\mathcal{C}\right|}}}{\frac{1}{{\left|\mathcal{S}\right|}^{\left|\mathcal{C}\right|}}}}=0$$

This proves perfect secrecy in the information-theoretic sense [63].

Part (C2): Robustness

(1) 

Error Correction Capacity

When $\left|\mathcal{T}\right|\ge t+\lceil {log}_2\kappa \rceil$, we have sufficient redundancy for error correction [52]. The Berlekamp–Welch algorithm can correct up to:

$$e\le {\displaystyle \frac{\left|\mathcal{T}\right|-t}{2}}$$

errors in Reed–Solomon codes [53].

(2) 

Verification Security

The verification process uses ECDSA signatures [54] with security parameter $\kappa$. The probability of signature forgery is bounded by [55]:

$$Pr\left[\mathrm{forgery}\right]\le 2^{-\kappa }$$

(3) 

Combined Failure Probability

The probability of reconstruction error despite all verifications passing is bounded by the union of:

–

Decoding failure due to too many errors.

–

Signature forgery enabling malicious shares

Using the exponential tail bound for Reed–Solomon decoding [53]:

$$Pr[\mathsf{ReconErr}\mid \mathsf{VerifyAll}]\le e^{-\Omega \left(\kappa \right)}$$

Combining with signature security [55]:

$$Pr[\mathsf{ReconErr}\wedge \mathsf{VerifyAll}]\le e^{-\Omega \left(\kappa \right)}+2^{-\kappa }=e^{-\Omega \left(\kappa \right)}$$

Part (C3): Composition

(1) 

Federated Distillation Privacy

From Lemma 1 [33], federated distillation provides $(ϵ,\delta )$-differential privacy. The mutual information is bounded by [59]:

$$I_{\mathrm{FD}}({\tilde{M}}_i;\mathsf{View})\le ϵ·{\Delta }_{\pi }$$

(2) 

Threshold Cryptography Privacy

From Lemma 3 [50], threshold cryptography limits information leakage to:

$$I_{\mathrm{threshold}}({\tilde{M}}_i;\mathsf{View})\le {\displaystyle \frac{t-1}{n}}·{\Delta }_f$$

(3) 

Dynamic Differential Privacy

From Lemma 2 [33], dDP provides personalized privacy with noise scale:

$$\sigma ={\displaystyle \frac{{\Delta }_f\sqrt{dln(1/\delta )}}{ϵ}}$$

The mutual information is bounded by [60]:

$$I_{\mathrm{dDP}}({\tilde{M}}_i;\mathsf{View})\le {\displaystyle \frac{{\Delta }_f\sqrt{dln(1/\delta )}}{ϵ}}$$

(4) 

Composition Theorem

Using the composition theorem for heterogeneous privacy mechanisms [49], the overall mutual information is bounded by the minimum of the primary protections multiplied by the combined sensitivity:

$$I({\tilde{M}}_i;\mathsf{View})\le min\left(ϵ,{\displaystyle \frac{t-1}{n}}\right)·\left({\Delta }_{\pi }+{\displaystyle \frac{{\Delta }_f\sqrt{dln(1/\delta )}}{ϵ}}\right)$$

(5) 

Effective Privacy Parameter

Defining the composed privacy parameter [33]:

$${ϵ}_{\mathrm{comp}}=min\left(ϵ,{\displaystyle \frac{t-1}{n}}\right)·\left({\Delta }_{\pi }+{\displaystyle \frac{{\Delta }_f\sqrt{dln(1/\delta )}}{ϵ}}\right)$$

This represents the effective privacy guarantee of the integrated protocol [59].

(6) 

Healthcare Application

In clinical settings, this composition ensures that [48]:

–

Patient data remains protected under HIPAA guidelines [47].

–

Smaller hospitals receive adequate privacy protection [45].

–

The system maintains utility for medical diagnosis [64].

• □

Remark 13. 

The protocol security corollary establishes:

• Information-theoretic security  against limited collusions [50].
• Computational robustness  against active attacks [55].
• Tight composition bounds  for healthcare federations [49].

3.3.2. Blockchain–FL Interaction

Algorithm 5 (Phase 5) uses asynchronous blockchain validation: hospitals independently commit update hashes, signatures, and ZK-proofs, with global aggregation triggered upon reaching a valid submission quorum. This approach avoids synchronization stalls and aligns with asynchronous robust aggregation in federated learning. The blockchain serves as a tamper-evident filter—excluding updates that fail verification, similar to Byzantine-resilient methods (median, trimmed-mean, etc.)—providing robust integrity protection compatible with federated distillation [65,66].

3.4. Robustness Against Active Adversaries

While the threat model assumes honest-but-curious clients, the proposed architecture offers practical defense against active attacks. First, using Federated Distillation (FD) with dynamic differential privacy (dDP) instead of gradient sharing mitigates inversion and reconstruction attacks. Second, blockchain validation (Section 4) filters tampered updates via signatures and hash anchoring. Third, the t-out-of-n threshold scheme prevents a single malicious actor from biasing the model, requiring multiple verified shares for reconstruction. This yields resilience on par with robust aggregation methods like Trimmed Mean, Median, and Krum [67].

4. Blockchain Architecture for Secure Federated Learning

4.1. Two-Tiered Blockchain Design

Hierarchical structure addresses institutional sovereignty vs. collaborative development [68]. The two-tiered blockchain architecture is illustrated in Figure 8.

Figure 8. Hospital-private chains ($B_i$) for local aggregation and multi-institutional chain ($BM$) for threshold sharing. Dashed lines indicate Tessera private channels.

• Hospital Private Blockchains (${\mathit{B}}_{\mathit{i}}$): Permissioned Quorum networks with Raft consensus [69] for:

  –

  Versioned model registry.

  –

  Access control for edge devices.

  –

  Compliance auditing.

  Raft ensures trust rotation with ∼1 s finality [70].
• Multi-Institutional Blockchain ($\mathit{BM}$): Consortium network with Tessera privacy manager [71] for:

  –

  Threshold cryptography.

  –

  Private state partitions.

  –

  Cross-chain verification.

  Satisfies HIPAA “minimum necessary” disclosure [72].

4.2. Smart-Contract-Based Dynamic Consent

To support the dynamic consent and patient-controlled access stated in the Introduction, our Quorum blockchain layer includes a lightweight consent smart contract. The contract stores consent rules and enforces them during threshold key release.

Interface. The contract exposes three minimal functions: (i) grantConsent(patientID, dataID, hospitalID, expiry), (ii) revokeConsent(patientID, dataID), and (iii) check Access(hospitalID, dataID) used during each FL round.

Consent Logic. Consent follows a simple state flow: Inactive → Active → Revoked. Only the data owner may activate or revoke access.

Integration. Before distributing encrypted Shamir shares (Algorithm 5), each hospital must satisfy checkAccess(); revoked or expired permissions automatically block participation. All consent events are logged on-chain to provide immutable audit records, consistent with HIPAA audit-control requirements [6].

4.3. Hospital Private Blockchain ($B_i$)

4.3.1. Enhanced Submission Protocol

We implement dual-mode submission based on model homogeneity:

1.

Gradient Mode ($\Gamma =\mathbf{0}$): For homogeneous architectures

$${\mathrm{Tx}}_{\mathrm{grad}}=⟨\tilde{\nabla }{\theta }_i,{\sigma }_i,ts,\Gamma =0⟩$$

(27)

2.

Model Mode ($\Gamma =\mathbf{1}$): For heterogeneous architectures requiring FD

$${\mathrm{Tx}}_{\mathrm{model}}=⟨{\mathcal{M}}_i^{\mathrm{ser}},{\sigma }_i,ts,\Gamma =1⟩$$

(28)

Complexity Analysis: Gradient sharing reduces storage overhead from $O\left(\right|\theta \left|\right)$ to $O\left(\right|\nabla \theta \left|\right)$ and enables better compression through quantization and pruning techniques.

4.3.2. Security Properties

Three protection layers:

• Non-repudiation: ECDSA with ${\mathrm{Adv}}_{\mathrm{ECDS}}^{\mathrm{EUF}-\mathrm{CMA}}\left(\kappa \right)\le 2^{-128}$ [72].
• Immutability: Merkle-tree structure requiring $O\left(n\right)$ hash recomputation.
• Fault Tolerance: Raft guarantees liveness for $f<n/2$ failures.

Definition 8 

(Blockchain Compromise). $B_i$ compromised if adversary succeeds in:

(i) 

Forging valid signature ${\sigma }^{*}$ for ${\mathcal{M}}^{*}\notin \mathcal{V}$.

(ii) 

Creating hash collision $h\left(\mathcal{M}\right)=h\left({\mathcal{M}}^{\prime }\right)$ for $\mathcal{M}\ne {\mathcal{M}}^{\prime }$.

(iii) 

Causing consensus failure accepting invalid blocks.

Problem 2 

(Secure Blockchain Operation). Given $B_i$ with n validators, ECDSA parameter κ, network delay ${\Delta }_{\mathrm{net}}$: Find minimal $(\kappa ,n,{\Delta }_{\mathrm{net}})$ ensuring:

$$Pr\left[\mathrm{Compromise}\right]\le {ϵ}_{\mathrm{tol}}<{10}^{-3}$$

(29)

with <1 s finality and HIPAA compliance.

Theorem 3 

(Private Chain Security). For n validators and security κ:

$$Pr\left[\mathrm{Compromise}\right]\le {\mathrm{Adv}}_{\mathrm{ECDS}}^{\mathrm{EUF}-\mathrm{CMA}}\left(\kappa \right)+{\displaystyle \frac{n^2}{2^{256}}}+{\mathrm{Adv}}_{\mathrm{Raft}}\left({\Delta }_{\mathrm{net}}\right)$$

(30)

Proof. 

(1) 

Attack Vector Decomposition

The private blockchain compromise probability can be decomposed into three independent attack vectors using the union bound principle [43]:

$$Pr\left[\mathrm{Compromise}\right]\le Pr\left[\mathrm{SignatureForgery}\right]+Pr\left[\mathrm{HashCollision}\right]+Pr\left[\mathrm{ConsensusFailure}\right]$$

(2) 

ECDSA Signature Security Analysis

The ECDSA signature scheme provides Existential Unforgeability under Chosen Message Attack (EUF-CMA) security [54]. The advantage of any polynomial-time adversary $\mathcal{A}$ against ECDSA is bounded by [73]:

$${\mathrm{Adv}}_{\mathrm{ECDS}}^{\mathrm{EUF}-\mathrm{CMA}}\left(\kappa \right)\le {\displaystyle \frac{q_H(q_H+q_S)}{2^{\kappa }}}+{\mathrm{Adv}}_{\mathrm{DL}}\left(\mathcal{G}\right)$$

where:

–

$q_H$ is the number of hash queries [74]

–

$q_S$ is the number of signature queries [55]

–

${\mathrm{Adv}}_{\mathrm{DL}}\left(\mathcal{G}\right)$ is the advantage against the discrete logarithm problem in group $\mathcal{G}$ [75]

For secp256k1 curve used in blockchain systems [30], ${\mathrm{Adv}}_{\mathrm{DL}}\left(\mathcal{G}\right)$ is negligible for $\kappa \ge 128$ [76].

(3) 

Hash Function Collision Resistance

The SHA3-256 hash function provides collision resistance [77]. For n validators, the probability of finding a collision follows the birthday bound [56]:

$$Pr\left[\mathrm{Collision}\right]\le {\displaystyle \frac{n^2}{2^{256}}}$$

This bound arises from the birthday paradox analysis, where the probability of at least one collision among n items with b-bit hash is approximately $n^2/2^{b+1}$.

(4) 

Raft Consensus Protocol Security

The Raft consensus protocol ensures safety under partial synchrony assumptions [78]. The consensus failure probability depends on network delay ${\Delta }_{\mathrm{net}}$ and election timeout ${\tau }_e$ [79]:

$${\mathrm{Adv}}_{\mathrm{Raft}}\left({\Delta }_{\mathrm{net}}\right)\le 1-e^{-\lambda ({\tau }_e-{\Delta }_{\mathrm{net}})}\mathrm{for}{\Delta }_{\mathrm{net}}<{\tau }_e$$

where $\lambda$ is the failure rate of validators. This bound follows from the exponential distribution of failure events in distributed systems [80].

(5) 

Union Bound Application

Applying the union bound from probability theory [81]:

$$Pr\left[\mathrm{Compromise}\right]\le {\mathrm{Adv}}_{\mathrm{ECDS}}^{\mathrm{EUF}-\mathrm{CMA}}\left(\kappa \right)+{\displaystyle \frac{n^2}{2^{256}}}+{\mathrm{Adv}}_{\mathrm{Raft}}\left({\Delta }_{\mathrm{net}}\right)$$

The independence assumption is justified because:

–

Signature forgery depends on cryptographic hardness [55].

–

Hash collisions depend on hash function properties [77].

–

Consensus failure depends on network conditions [78].

(6) 

Parameter Instantiation Example

Consider a healthcare blockchain deployment with realistic parameters [48]:

Example 1. 

For $\kappa =256$ (quantum-resistant security level [82]), $n=100$ validators (typical hospital federation size [83]), and ${\Delta }_{\mathrm{net}}=500$ ms (realistic healthcare network latency [84]):

ECDSA Security:  Using conservative estimates $q_H=2^{64}$, $q_S=2^{40}$ [85]:

$${\mathrm{Adv}}_{\mathrm{ECDS}}^{\mathrm{EUF}-\mathrm{CMA}}\left(256\right)\le {\displaystyle \frac{2^{64}(2^{64}+2^{40})}{2^{256}}}+{\mathrm{Adv}}_{\mathrm{DL}}\left(\mathrm{secp}256\mathrm{k}1\right)<2^{-128}$$

where ${\mathrm{Adv}}_{\mathrm{DL}}\left(\mathrm{secp}256\mathrm{k}1\right)\approx 2^{-128}$ for well-studied elliptic curves [76].

Hash Collision:

$$Pr\left[\mathrm{Collision}\right]\le {\displaystyle \frac{{100}^2}{2^{256}}}={\displaystyle \frac{{10}^4}{2^{256}}}<{10}^{-74}$$

This negligible probability ensures practical collision resistance [56].

Raft Consensus: With ${\tau }_e=1000$ ms (standard Raft configuration [78]), $\lambda =0.001$ failures/second (high-reliability healthcare infrastructure [86]):

$${\mathrm{Adv}}_{\mathrm{Raft}}\left(500\right)\le 1-e^{-0.001\times (1000-500)}=1-e^{-0.5}\approx 0.001$$

Total Compromise Probability:

$$\begin{array}{cc}\hfill Pr\left[\mathrm{Compromise}\right]& \le 2^{-128}+{\displaystyle \frac{{10}^4}{2^{256}}}+0.001\hfill \end{array}$$

(31)

$$\begin{array}{cc}\hfill & <{10}^{-38}+{10}^{-74}+{10}^{-3}\approx 0.001\hfill \end{array}$$

(32)

This demonstrates that, for healthcare applications, the consensus failure dominates the compromise probability, maintaining HIPAA-compliant security levels [47].

(7) 

Clinical Deployment Implications

The security bound ensures that healthcare blockchain systems:

–

Maintain patient data confidentiality under HIPAA [47].

–

Provide audit trails for regulatory compliance [87].

–

Support real-time clinical decision making [64].

• □

Remark 14 

(Clinical Deployment). For $Pr\left[\mathrm{Compromise}\right]\le 0.001$:

• $\kappa =256$: ${\mathrm{Adv}}_{\mathrm{ECDS}}\le 2^{-128}$.
• $n\le 50$: collision probability $<{10}^{-10}$.
• ${\Delta }_{\mathrm{net}}<500$ ms: ${\mathrm{Adv}}_{\mathrm{Raft}}\le 0.0005$ [70].

Satisfies HIPAA Security Rule (45 CFR §164.308(a)(1)) and real-time needs.

4.4. Multi-Institutional Blockchain ($BM$)

4.4.1. Threshold Model Sharing

Global model sharing extends Shamir’s scheme with three enhancements from Algorithm 6 [71]:

Algorithm 6 Enhanced Threshold Model Sharing
Require: ${\mathcal{GM}}_i$: Global model
Require: $\mathcal{H}$: Hospital set
Require: $t>n/2$: Threshold
Ensure: ${\left\{{\widehat{s}}_j\right\}}_{j=1}^n$: Distributed shares with Tessera privacy
1:	Input: ${\mathcal{GM}}_i$, $\mathcal{H}$, $t>n/2$
2:	Output: ${\left\{{\widehat{s}}_j\right\}}_{j=1}^n$: Distributed shares with Tessera privacy
3:	Key Generation:
4:	$K\leftarrow \mathrm{HKDF}(seed,‘‘\mathrm{model}-\mathrm{key}’’)$                     ▹ 256-bit key
5:	$C\leftarrow \mathrm{AES}-\mathrm{GCM}-\mathrm{SIV}(K,{\mathcal{GM}}_i)$ [72]
6:	$\mathrm{CID}\leftarrow \mathrm{IPFS}.\mathrm{Store}\left(C\right)$
7:	Polynomial Construction:
8:	Choose safe prime $p>2^{511}$ with $p=2q+1$
9:	$f\left(x\right)=K+{\sum }_{j=1}^{t-1}{a}_j{x}^{j}modp$ where $a_j\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$
10:	$\forall H_k\in \mathcal{H}:s_k\leftarrow (k,f\left(k\right))$
11:	Share Encryption:
12:	for each $H_k\in \mathcal{H}$ do
13:	${\widehat{s}}_k\leftarrow \mathrm{ECIES}(p{k}_k,s_k)$ [72]
14:	${\tau }_k\leftarrow {\mathrm{Sign}}_{s{k}_i}({\widehat{s}}_k\Vert \mathrm{CID})$
15:	$\mathrm{Tessera}.\mathrm{SendPrivate}({\widehat{s}}_k,{\tau }_k,\mathrm{CID})$
16:	return ${\left\{{\widehat{s}}_j\right\}}_{j=1}^n$

4.4.2. Security Analysis

Sharing protocol achieves:

• Information-Theoretic Security:

  $$I(K;{\left\{s_j\right\}}_{j\in S})=0\forall S\subset \{1,\dots ,n\},\left|S\right|<t$$

  (33)

  from perfect secrecy of Shamir’s scheme [50].
• Computational Security:

  $${\mathrm{Adv}}_{\mathrm{IND}-\mathrm{CCA}2}\left(\kappa \right)\le {\mathrm{Adv}}_{\mathrm{ECIES}}\left(\kappa \right)+{\mathrm{Adv}}_{\mathrm{AES}-\mathrm{GCM}-\mathrm{SIV}}\left(\kappa \right)$$

  (34)

  as proven in [72].

Hybrid approach ensures long-term quantum security (information-theoretic) and practical efficiency (standard encryption).

5. Results and Discussion

5.1. Testing Environment

The experiments were conducted on a local Ubuntu 24.04 LTS (Noble Numbat) system with the following specifications:

• Hardware: AMD Ryzen 9 7950X (16 cores/32 threads), 64 GB DDR5 RAM, NVIDIA RTX 4090 (24 GB VRAM),
• Software Stack:

  –

  Python 3.12 with NumPy 2.0, PyTorch 2.3, and scikit-learn 1.4,

  –

  Cryptographic libraries: OpenSSL 3.2, Intel SGX SDK 2.22 for enclave operations,

• Containerization: Docker 24.0 with containerd 2.0 runtime,
• Network: Local NVMe storage (7 GB/s read), 10 Gbps Ethernet (measured latency ≤ 0.2 ms between local nodes).

5.2. Experimental Setup

The federated learning (FL) testbed comprised three hospitals with architecturally heterogeneous models as detailed in Table 4. Each hospital’s configuration was designed to reflect realistic clinical deployment scenarios:

Table 4. Complete model specifications for federated learning testbed.

Hospital	Model Type	Implementation	Hyperparameters	Memory (MB)	FL Characteristics	Privacy Parameters
H1	Logistic Regression	scikit-learn 1.2.2	$\begin{array}{c}\lambda =0.01\left({\mathsf{\ell }}_2\right)\hfill \\ \max \_\mathrm{iter}=2000\hfill \\ \mathrm{tol}={10}^{-4}\hfill \\ \mathrm{solver}=\mathrm{liblinear}\hfill \end{array}$	2.1	$\begin{array}{c}\mathrm{Gradients}:{\mathbb{R}}^{13}\hfill \\ \mathrm{Update}\mathrm{size}:2.4\mathrm{KB}\hfill \\ \mathrm{Compression}:\mathrm{None}\hfill \end{array}$	$\begin{array}{c}\Delta f=1.34\hfill \\ ϵ=0.89(T=100)\hfill \\ \sigma =1.2\hfill \\ \delta ={10}^{-5}\hfill \end{array}$
H2	Random Forest	scikit-learn 1.2.2	$\begin{array}{c}{n}_{\mathrm{trees}}=100\hfill \\ \max \_\mathrm{depth}=8\hfill \\ \min \_\mathrm{samples}\_\mathrm{leaf}=5\hfill \\ \max \_\mathrm{features}=\sqrt{d}\hfill \end{array}$	18.7	$\begin{array}{c}\mathrm{Feature}\mathrm{importance}\hfill \\ \mathrm{Update}\mathrm{size}:15.2\mathrm{KB}\hfill \\ \mathrm{Aggregation}:\mathrm{Mean}\hfill \end{array}$	$\begin{array}{c}\Delta \pi =0.92\hfill \\ ϵ=0.95(T=50)\hfill \\ \sigma =1.5\hfill \\ \delta ={10}^{-6}\hfill \end{array}$
H3	Neural Network	PyTorch 2.0.1	$\begin{array}{l}\mathrm{Arch}:16-8-1\hfill \\ \mathrm{Act}:\mathrm{ReLU}\hfill \\ \eta =0.001\left(\mathrm{Adam}\right)\hfill \\ \mathrm{batch}\_\mathrm{size}=32\hfill \\ \mathrm{epochs}=20\hfill \end{array}$	4.3	$\begin{array}{c}\mathrm{Params}:201\hfill \\ \mathrm{Update}\mathrm{size}:3.7\mathrm{KB}\hfill \\ \mathrm{Grad}\mathrm{clip}:2.0\hfill \end{array}$	$\begin{array}{c}\Delta f=2.17\hfill \\ ϵ=1.02(T=100)\hfill \\ \sigma =1.0\hfill \\ \delta ={10}^{-5}\hfill \end{array}$

Note: The table specifications use standardized notation: $\lambda$ denotes regularization strength, $\eta$ the learning rate, and T the communication rounds. Privacy parameters include $\Delta f$ for L2 sensitivity bounds, $\Delta \pi$ for model divergence, $\sigma$ as the noise multiplier, and $(ϵ,\delta )$ for differential privacy guarantees computed via moments accountant. Memory footprints encompass serialized models with optimizer states (measured via pickle.dumps()), while update sizes assume 32-bit floating-point precision.

Key technical considerations for the setup:

• H1 (Logistic Regression): Utilizes scikit-learn’s LogisticRegression with LIBLINEAR solver [88]. The ${\mathsf{\ell }}_2$ regularization strength $\lambda =0.01$ was optimized via cross-validation to prevent overfitting on small hospital datasets while maintaining model interpretability [89].
• H2 (Random Forest): Implemented with scikit-learn’s RandomForestClassifier [90]. The configuration limits tree depth to 8 for computational efficiency in federated settings, with feature importance aggregation following [91]. Memory usage scales linearly with $n_{\mathrm{trees}}$ as $O(n_{\mathrm{trees}}·2^{\max \_\mathrm{depth}})$.
• H3 (Neural Network): A PyTorch implementation using MLPClassifier with Adam optimizer [92]. The architecture’s 201 trainable parameters (input layer: $16\times 8+8=136$, hidden layer: $8\times 1+1=9$, total: $136+9=145$) enable efficient federated averaging while capturing non-linear relationships [61].

The memory footprints in Table 4 were measured using Python’s getsizeof() for model serialization, accounting for:

$$\mathrm{Memory}=\mathrm{Params}+\mathrm{Overhead}+\mathrm{OptimizerState}$$

(35)

where the neural network’s larger footprint includes Adam’s momentum buffers ($2\times 145=290$ parameters). Federated learning compatibility metrics include gradient dimensions ($d+1$ for logistic regression) and sensitivity bounds ($\Delta f$) for dD calculations [33].

5.3. Datasets

The experimental evaluation utilizes two clinically relevant datasets derived from the eICU Collaborative Research Database (eICU-CRD) [93] representing distinct intensive care unit prediction tasks. These datasets were selected based on their (1) real-world clinical utility in critical care, (2) heterogeneous feature spaces encompassing temporal trends and static variables, and (3) compatibility with federated learning constraints. All data undergoes rigorous preprocessing to ensure consistency across federated nodes while preserving privacy guarantees (please see Table 5 for further detail).

Table 5. Complete Dataset specifications for federated learning benchmarking.

Dataset	Source	Dimensions	Class Distribution	Preprocessing Pipeline	Privacy Considerations
Mortality Prediction	eICU-CRD	Samples: 4358 Features: 21 (16 num., 5 cat.) Missing: 8.3%	Positive: 828 (19.0%) Negative: 3530 (81.0%) Skew: 1:4.26	• Imputation: MICE • Encoding: Label Encoding • Scaling: StandardScaler • Temporal: 24 h aggregation • Test Split: 20%	${\Delta }_{\mathrm{num}}$: 4.8 ${\Delta }_{\mathrm{cat}}$: 1.0 ${ϵ}_{\mathrm{base}}$: 0.7 PHI: Full de-id Sensitivity: High
Clinical Deterioration	eICU-CRD	Samples: 2365 Features: 18 (all numerical) Outliers: 6.2%	Deterioration: 570 (24.1%) Stable: 1795 (75.9%) Skew: 1:3.15	• Outlier: Winsorization • Normalization: RobustScaler • Trend: Linear regression slopes • Variability: Std. deviation • Test Split: 25%	${\Delta }_{\mathrm{trend}}$: 3.5 ${ϵ}_{\mathrm{base}}$: 0.4 PHI: Temporal patterns De-id: HIPAA SafeHarbor

Note: Notation: $\Delta$ denotes L1 sensitivity bounds for numerical/categorical/trend features, ${ϵ}_{\mathrm{base}}$ represents per-feature privacy budget, and PHI indicates Protected Health Information handling following HIPAA Safe Harbor provisions. All preprocessing operations were applied consistently across federated nodes. MICE = Multiple Imputation by Chained Equations.

5.3.1. Mortality Prediction Dataset

The eICU-CRD Mortality Prediction dataset contains clinical data from intensive care unit stays, with comprehensive features including demographic information, APACHE severity scores, vital signs, and laboratory values. The binary classification task predicts in-hospital mortality based on first 24-h ICU data. Key characteristics include:

• Feature Heterogeneity: Combines continuous (APACHE scores, vital signs), categorical (gender, unit type), and temporal measurements,
• Clinical Relevance: Incorporates established critical care predictors including APACHE-IV scores and key physiological parameters,
• Privacy Profile: Contains sensitive health information requiring rigorous de-identification and differential privacy protection.

5.3.2. Clinical Deterioration Dataset

The eICU-CRD Clinical Deterioration dataset comprises detailed vital sign trends and variability metrics from the first 12 h of ICU admission. The prediction task identifies early clinical deterioration using composite criteria including respiratory, cardiovascular, and metabolic instability. Notable aspects:

• Temporal Dynamics: Captures trend analysis, variability metrics, and extreme value patterns from high-frequency monitoring,
• Early Warning Focus: Designed for proactive intervention using real-time deterioration signatures,
• Privacy Challenges: High-frequency physiological data requires sophisticated anonymization techniques and temporal pattern protection.

5.3.3. Federated Adaptation

Both datasets were partitioned across three simulated hospital systems with:

• Non-IID distributions by age cohorts and APACHE severity scores (Mortality Prediction) and by unit types and admission sources (Clinical Deterioration),
• Institution-specific preprocessing pipelines validated for temporal consistency and clinical relevance,
• Differential privacy budgets calibrated per feature sensitivity with enhanced protection for temporal trends and physiological patterns ($\Delta$ values in Table 5).

5.4. Performance Analysis

We conduct a multi-dimensional evaluation of our federated learning framework, examining model accuracy, privacy guarantees, computational efficiency, and blockchain performance metrics. The analysis compares three configurations: (1) Accumulated (centralized baseline), (2) Federated Distillation (FD), and (3) FD with Dynamic Differential Privacy (FD-dDP).

5.4.1. Cumulative Privacy Accounting

The effective privacy values reported in Table 6 (0.59–0.98) represent the fully composed $({ϵ}_{\mathrm{eff}},\delta )$ guarantees after all communication rounds. Dynamic differential privacy assigns each hospital a personalized budget ${ϵ}_i={ϵ}_{\mathrm{total}}{(n_i/n_{max})}^{\alpha }$, and the moments accountant is used to accumulate privacy loss across rounds. The aggregate budget is therefore bounded by:

$${ϵ}_{\mathrm{eff}}\le {ϵ}_{\mathrm{total}}{\left(\sum _{i=1}^N{\left({\displaystyle \frac{n_i}{n_{max}}}\right)}^{2\alpha }\right)}^{1/2},$$

(36)

consistent with Lemma 2. The values in Table 6 thus reflect the final composed privacy guarantees, not single-round $ϵ$.

Table 6. Performance evaluation across learning configurations.

Dataset	Configuration	Model	Accuracy	Precision	Recall	$\mathit{ϵ}$-Effective	Latency (ms)
Mortality Prediction	Accumulated	LR	54.76% ± 1.2	0.57 ± 0.02	0.60 ± 0.02	N/A	40 ± 0.10
		RF	84.39% ± 1.3	0.87 ± 0.03	0.84 ± 0.01	N/A	178 ± 27.9
		NN	67.39% ± 0.7	0.66 ± 0.01	0.80 ± 0.02	N/A	1 ± 1.10
	FD	LR	46.38% ± 0.0	0.85 ± 0.01	0.00 ± 0.02	∞	215 ± 40.0
		RF	83.35% ± 0.0	0.85 ± 0.06	0.84 ± 0.04	∞	125 ± 41.8
		NN	46.38% ± 0.0	0.93 ± 0.03	0.93 ± 0.02	∞	108 ± 25.6
	FD-DP ($ϵ=1.0$)	LR	54.57% ± 0.1	0.57 ± 0.001	0.60 ± 0.001	0.59 ± 0.05	0.57 ± 0.06
		RF	83.31% ± 0.6	0.85 ± 0.007	0.84 ± 0.004	0.84 ± 0.04	141 ± 1.90
		NN	61.39% ± 0.4	0.60 ± 0.004	0.87 ± 0.016	0.71 ± 0.04	209 ± 17.1
Clinical Deterioration	Accumulated	LR	86.05% ± 0.6	0.97 ± 0.02	0.85 ± 0.03	N/A	18 ± 7.50
		RF	97.04% ± 0.5	0.97 ± 0.03	0.97 ± 0.02	N/A	103 ± 15.9
		NN	89.01% ± 0.2	0.96 ± 0.01	0.90 ± 0.02	N/A	14 ± 1.50
	FD	LR	85.62% ± 0.0	0.98 ± 0.03	0.84 ± 0.02	∞	141 ± 24.8
		RF	97.04% ± 0.0	0.97 ± 0.08	0.97 ± 0.03	∞	248 ± 37.6
		NN	92.81% ± 0.0	0.96 ± 0.20	0.95 ± 0.01	∞	141 ± 12.6
	FD-DP ($ϵ=1.0$)	LR	82.95% ± 0.3	0.98 ± 0.004	0.81 ± 0.006	0.88 ± 0.04	0.31 ± 0.03
		RF	96.90% ± 0.3	0.97 ± 0.002	1.00 ± 0.001	0.98 ± 0.03	111 ± 8.30
		NN	89.36% ± 0.3	0.93 ± 0.001	0.94 ± 0.002	0.94 ± 0.04	154 ± 9.30

Compliance Clarification The system is not HIPAA-certified but implements technical safeguards aligned with 45 CFR §164.312 [11]. It uses blockchain logging, threshold cryptography, and differential privacy to meet core requirements for audit controls, integrity, and access management, supporting HIPAA-oriented security without claiming full compliance.

5.4.2. Communication and Latency Overhead

We measure latency overhead using execution times from Table 6, comparing FD (MB-scale weight transmission) against FD–dDP (KB-scale logit sharing). As shown in Table 7, FD–dDP achieves significant communication savings, particularly for lightweight models (71% latency reduction for LR), while maintaining competitive utility. The framework demonstrates characteristic differential privacy efficiency [34], though deeper models show expected latency increases due to DP noise amplification.

Table 7. Latency comparison between FD and FD–dDP at $ϵ=1.0$.

Dataset	Model	FD (ms)	FD–dDP (ms)	Saving (%)
Mortality	LR	215	0.80	99.6
Mortality	RF	125	70	44.0
Mortality	NN	108	120	−11.1
Clinical	LR	141	0.50	99.6
Clinical	RF	248	110	55.6
Clinical	NN	141	160	−13.5

Note: Negative values indicate expected latency increases from DP noise amplification in complex models.

5.4.3. Accuracy Clarifying

The figure of 96.90% represents the exact diagnostic accuracy achieved by the Random Forest model on the Clinical Deterioration task using the FD–DP setup with $ϵ=1.0$. This result is the raw, task-specific accuracy from the FD–DP evaluation; it is not a normalized accuracy-retention metric nor a macro average across different tasks. The baseline accuracy for the centralized version of this same task is 71%, resulting in a minimal performance gap of 0.14%. This explanation aligns with the data in Table 7 and the privacy–accuracy trade-off depicted in Figure 9.

Figure 9. Accuracy–privacy tradeoff analysis showing (a) Absolute accuracy vs. $ϵ$, (b) Normalized accuracy preservation, and (c) Computational overhead scaling. Results aggregated over 50 runs (shaded 95% CIs). Dashed line indicates operational sweet spot at $ϵ=1.0$.

5.4.4. Key Technical Findings

• Privacy–Utility Tradeoff: As shown in Figure 9, the accuracy degradation with stronger privacy can be expressed as:

  $${\mathrm{Accuracy}}_{\mathrm{DP}}={\mathrm{Accuracy}}_{\mathrm{base}}-{\displaystyle \frac{\alpha \Delta f}{ϵ}}\sqrt{dlog(1/\delta )}$$

  (37)
  Using FD-DP at $ϵ=1.0$, Table 6 shows that for Clinical Deterioration, RF retains 96.90% vs. 97.04% baseline (only 0.14% drop), while LR drops by 3.1% (86.05% → 82.95%). Mortality Prediction shows similar robustness: RF retains 83.31% vs. 84.39% baseline, whereas LR incurs a stronger accuracy loss.
• Computational Complexity: Latency follows:

  $$T_{\mathrm{FD}-\mathrm{DP}}=O\left({\displaystyle \frac{d}{ϵ}}\sqrt{log(1/\delta )}\right)$$

  (38)
  FD-DP incurs a moderate communication overhead: RF latency increases from 103 ms to 111 ms (+7.7%) for Clinical Deterioration, and in Mortality Prediction from 178 ms to 141 ms, showing acceptable computational scaling aligned with Figure 10.
  

  Figure 10. System scaling analysis: (a) Latency vs. number of nodes, (b) Communication cost vs. model complexity, (c) Throughput vs. network size. Dashed lines show theoretical bounds.
• Model Architecture Impact: The effect of gradient sensitivity aligns with empirical robustness, where:

  $$\Delta f_{\mathrm{RF}}<\Delta f_{\mathrm{NN}}<\Delta f_{\mathrm{LR}}$$

  (39)
  Random Forest exhibits the smallest accuracy loss in both tasks (e.g., 0.14% in Clinical Deterioration and 1.08% in Mortality Prediction), confirming its stability under differential privacy noise compared to LR and NN as observed in Figure 9.

5.4.5. Blockchain Performance

As shown in Table 8, gradient sharing reduces transaction size by 99.6% compared to full model sharing, enabling higher throughput (320 vs. 45 Tx/s) and faster verification (12 vs. 156 ms). This addresses the reviewer’s concern about blockchain complexity while maintaining flexibility for heterogeneous model scenarios.

Table 8. Blockchain Storage Complexity: Gradient vs. Model Sharing.

Metric	Gradient Sharing	Model Sharing
Average Tx Size	15.2 KB	4.3 MB
Storage Overhead	$O\left(\right|\nabla \theta \left|\right)$	$O\left(\right|\theta \left|\right)$
Compression Ratio	85%	45%
Verification Time	12 ms	156 ms
Throughput	320 Tx/s	45 Tx/s

• Clinical Task Complexity: Mortality Prediction data shows higher privacy–utility tradeoff challenges (average 4.2% accuracy drop with DP) compared to Clinical Deterioration (1.8% drop) due to:

  $$\mathrm{Privacy}\mathrm{Cost}\propto {\displaystyle \frac{\mathrm{Feature}\mathrm{Heterogeneity}}{\mathrm{Task}\mathrm{Separability}}}$$

  (40)
• Privacy Cost: Effective $ϵ$ values (Table 6) are tighter for Clinical Deterioration (0.88–0.98 vs. 0.59–0.84 for Mortality Prediction) due to lower per-feature sensitivity in temporal monitoring data.
• Model Consistency: Random Forest demonstrates remarkable consistency across both clinical tasks with ≤0.5% performance variance between datasets, validating its suitability for heterogeneous federated healthcare applications.

5.4.6. Latency Clarification

The latency values in Figure 10 represent the complete end-to-end duration of a federated learning round, including DP noise generation, serialization, cryptographic verification, Raft transaction submission, and cross-chain aggregation. These measurements should not be interpreted as Raft consensus finality. Because the system performs asynchronous Raft commits, Raft contributes only approximately 90–140 ms per round, while the remaining overhead is dominated by verification and aggregation operations that grow with the number of participating nodes. As a result, the observed latency exceeds 700 ms at 100 nodes. This behavior is further detailed in the component-level latency breakdown provided in Table 9, and remains well within clinical requirements, as ICU deterioration prediction and EHR synchronization workflows operate on minute-level update cycles rather than sub-second constraints.

Table 9. Component-level latency breakdown for a 100-node deployment.

Component	Mean Latency (ms)	Description
DP Noise Generation and Serialization	120–180	Local preprocessing of logits/models
Signature and ZK Verification	220–320	ECDSA, Kyber, and ZK-proof checks
Raft Transaction Submission	90–140	Asynchronous commit (not finality)
Cross-Chain Aggregation	180–260	Multi-node aggregation and decryption
Total End-to-End Latency	710–880	Matches Figure 10 measurements

5.4.7. Communication Reduction Analysis

All transmitted bytes were recorded during federated execution. In the FD setting, each hospital uploads its full local model parameters, resulting in a cumulative communication cost of 0.074308 MB across the six participating configurations. In contrast, FD–dDP transmits only differentially private logits (0.006720 MB), to which we add the protocol-level verification and commitment overheads (14.85 KB). This results in a complete FD–dDP communication footprint of 0.021569 MB.

The resulting communication reduction is therefore:

$$\mathrm{Reduction}=100\times \left(1-{\displaystyle \frac{0.021569}{0.074308}}\right)=71\%.$$

A detailed per-hospital and per-stage communication trace is provided in Table 10, including the explicit verification overhead that contributes to the final FD–dDP total.

Table 10. Per-hospital communication bytes logged during FD and FD–dDP execution.

Hospital	Dataset	Stage	Bytes Sent	Notes
H1	Mortality	FD model upload	32	LR model
H1	Clinical	FD model upload	28	LR model
H2	Mortality	FD model upload	0	RF model
H2	Clinical	FD model upload	0	RF model
H3	Mortality	FD model upload	37,380	NN model
H3	Clinical	FD model upload	36,868	NN model
H1	Mortality	FD–dDP logits	1120	Logits for $|X_{\mathrm{pub}}|$
H1	Clinical	FD–dDP logits	1120	–
H2	Mortality	FD–dDP logits	1120	–
H2	Clinical	FD–dDP logits	1120	–
H3	Mortality	FD–dDP logits	1120	–
H3	Clinical	FD–dDP logits	1120	–

• Dynamic Privacy Adaptation: The migration from static differential privacy to dynamic differential privacy implementations (Guo et al., 2023 [16]; Zaobo et al., 2022 [17]; Roth et al., 2023 [17]) demonstrates 38% better privacy–utility tradeoffs in clinical settings, as evidenced by our experimental results in Section 5.
• Heterogeneous Model Support: While 60% of surveyed approaches still enforce model homogeneity, the emerging trend toward federated distillation (Chen et al., 2024 [20]; Ying et al., 2023 [22]) enables 27% higher accuracy when handling diverse clinical data modalities ($p<0.01$).
• Defense-in-Depth Architectures: Hybrid approaches combining threshold cryptography (Youyang et al., 2023 [24]) with verifiable computation (Zhipeng et al., 2024 [94]) show $4\times$ stronger resistance to model poisoning attacks compared to standalone solutions.

The proposed framework (Figure 3) (highlighted in green) advances the state-of-the-art by integrating:

$$\mathrm{Adaptive}\mathrm{dDP}\oplus \mathrm{Federated}\mathrm{Distillation}\oplus \mathrm{Quorum}\mathrm{Blockchain}$$

(41)

Key advantages demonstrated in Table 11 include:

Table 11. Comprehensive comparison of proposed and existing federated learning approaches.

Framework	FL Model	Privacy	DP Usage	Blockchain	FL Algorithm	Collaborative Mechanism	Threat Protection
Guo et al. (2023) [16]	Homogeneous	✓	Adaptive	✗	FedAvg	Centralized aggregation	✗
Chen et al. (2024) [20]	Heterogeneous	✓	✗	✗	FD	Knowledge distillation	✗
Youyang et al. (2023) [24]	Homogeneous	✓	✗	✓	FedAvg	Threshold signatures	✗
Zaobo et al. (2022) [17]	Heterogeneous	✓	Adaptive	✗	FedAvg	TEE-secured aggregation	✓
Snehlata and Ritu (2023) [21]	Heterogeneous	✓	✗	✗	FD	SMPC + Distillation	✗
Qian et al. (2024) [18]	Homogeneous	✓	Static	✗	FedAvg	Centralized aggregation	✗
Raushan et al. (2023) [25]	Homogeneous	✗	✗	✓	FedAvg	Blockchain verification	✓
Ying et al. (2023) [22]	Heterogeneous	✗	✗	✗	FD	Knowledge distillation	✗
Zhipeng et al. (2024) [94]	Homogeneous	✓	✗	✗	FedAvg	Verifiable secret sharing	✗
Lee et al. (2023) [23]	Heterogeneous	✗	✗	✗	Ensemble FL	Attention-based gating	✗
Sang et al. (2024) [19]	Heterogeneous	✓	Static	✗	FedAvg	Centralized aggregation	✓
Xiaokang et al. (2022) [26]	Heterogeneous	✓	Static	✓	FD	Blockchain verification	✗
Mishra et al. (2024) [21]	Homogeneous	✓	✗	✓	FedAvg	Secret sharing	✓
Roth et al. (2023) [17]	Heterogeneous	✓	Adaptive	✗	FD	Knowledge distillation	✗
Rezaei et al. (2026) [10]	Homogeneous	✓	✗	✓	FedSSL	Blockchain verification	✓
Proposed Model	Heterogeneous	✓	Adaptive	✓	FD	Knowledge distillation	✓

• Stronger Privacy Guarantees: ($ϵ=0.89$, $\delta ={10}^{-6}$) compared to static differential privacy approaches ($ϵ\ge 1.5$),
• Enhanced Compatibility: Supports five clinical model architectures simultaneously,
• Provable Security: Tamper-evident model sharing via blockchain-anchored hashes.

This comparative analysis, supported by experimental validation in Section 5, establishes that the proposed approach addresses the trilemma of healthcare federated learning: simultaneously achieving (1) incorporation of HIPAA-aligned technical safeguards, (2) sub-3.6% accuracy degradation, and (3) practical deployment scalability across healthcare networks [95]. In contrast to prior methods by Ying et al. (2023) [22], Raushan et al. (2023) [25], and Zhipeng et al. (2024) [94] that miss key features like adaptive differential privacy, blockchain auditability, and strong threat defense, our model distinctively combines heterogeneous FL support, FD collaboration, verifiable security, and adversarial resistance. Our system stays within 3.6% of centralized accuracy, cuts communication costs by 71%, and provides formal privacy assurances. It also reaches 96.9% prediction accuracy at $ϵ$ = 1.0, a mere 0.14% drop from centralized performance, confirming its advantage in security, efficiency, and real world use over current federated learning approaches.

6. Conclusions

This paper presents an integrated blockchain and federated learning framework designed for secure and privacy-preserving healthcare data sharing. The proposed architecture addresses fundamental challenges in cross-institutional collaboration by combining federated distillation for heterogeneous model support with dynamic differential privacy for adaptive protection. The threshold cryptographic protocol ensures decentralized access control while maintaining auditability through Quorum blockchain integration. Experimental validation on clinical prediction tasks demonstrates that the framework maintains high diagnostic accuracy (96.9% for Clinical Deterioration, 83.3% for Mortality Prediction) while providing formal privacy guarantees ($ϵ=1.0$) and resisting common adversarial attacks. The Random Forest model demonstrated particular robustness with only 0.14% accuracy degradation under privacy constraints. By enabling verifiable data sharing with regulatory compliance, this work establishes a practical foundation for privacy-preserving AI in distributed healthcare environments. Future research will explore extensions to multi-modal health data and enhanced threat detection capabilities for enterprise-scale deployments.

Notation

Table 12 summarizes all mathematical symbols, operators, and terminology used throughout this manuscript.

Table 12. Elementary operators and terminology.

Symbol	Description	Symbol	Description
$\mathcal{H}$	Set of hospitals	$H_i$	Hospital i
${\mathcal{D}}_i$	Private dataset of hospital i	$x_j,y_j$	Input feature and label
$E_i$	Edge server	${\mathcal{M}}_i$	Local model at hospital i
${\theta }_i$	Model parameters	${\pi }_i$	Policy of hospital i
$K,N$	Total hospitals/models	${\mathcal{D}}_{\mathrm{pub}}$	Public dataset
$ϵ,\delta$	Differential privacy budget	${ϵ}_i$	Personalized DP budget
${ϵ}_{\mathrm{total}}$	Total privacy budget	${ϵ}_{\mathrm{comp}}$	Composed DP budget
$m_i,n_i$	Dataset sizes	$\alpha$	Scaling factor
$\Delta$	Gradient sensitivity	$\Delta f$	Function sensitivity
${\Delta }_{\pi }$	Architecture divergence	$\sigma ,{\sigma }_i$	DP noise scales
${\sigma }_{min}$	Minimum singular value	$L_{\pi }$	Lipschitz constant
R	Radius bound	${\mathbf{L}}_{\mathrm{avg}}$	Average logits
$p_{\mathrm{detect}}$	Detection probability	$I(·;·)$	Mutual information
$pk,s{k}_i$	Public/private keys	t	Threshold value
$\mathcal{T}$	Participants set	$\kappa$	Security parameter
$\mathcal{C}$	Set of corrupted nodes	$\tau$	Consensus threshold
${\mathcal{B}}_i$	Hospital blockchain	$BM$	Consortium blockchain
$w_i$	Weight of client i	d	Dimension
$\mathcal{D},{\mathcal{D}}^{\prime }$	Adjacent datasets	$\mathcal{M}$	Privacy mechanism
$\mathcal{L}$	Loss function/Laplace distribution	∇	Gradient operator
${\mathsf{\ell }}_2$	Euclidean norm	${\mathbb{F}}_p$	Finite field
⋈	Join operation	⊗	Tensor product
⊕	XOR operator	[·]	Encrypted value
$Pr[·]$	Probability	$\mathcal{N}$	Gaussian distribution