[signa11]

> ... some companies threaten to terminate anyone who reveals his or her salary to another employee.

after this, i was wondering if there is a way to get the average salary of a group without revealing / knowing actual numbers ?

edit-001: ok, one thing that i can think of:

1. take a big number, and add your salary to it. this becomes the 'token' for the next guy.

2. he adds his salary to the number. etc. etc.

once you have the final number, remove the original number, and divide by number of folks. since this scheme appears to be so trivial, i am now wondering what i did wrong ?

[bzbarsky]

What threat model are you defending against?

Because the people at positions N and N+2 in your scheme can collude to determine the salary of the person at position N+1 without even having to reveal their own salaries in the process...

[signa11]

> What threat model are you defending against?

umm, not really trying to prevent from folks actively sabotage the whole thing, but just seeing if it actually works i.e gives the correct average salary...

but yes, as you have pointed out, people at N and N+2 can collude to get the original salary (for N+1).

[graywh]

Have a third party generate a set of tokens, one per person, recording only their sum, and randomly distribute them to the group. Then you don't need to pass the cumulative sum from person to person.

Edit: I guess it doesn't even have to be a third party as long as everyone trusts the randomization (e.g., pulling identical pieces of folded paper from a hat).

[kabouseng]

Yes but you still need to trust the central authority then, meaning one person will know everyone's salary (he who generates all the tokens).

If you really want a cryptographic secure process, the key word to begin your journey would be "secure multiparty computation", and a very appropriate example in the book modern cryptography[1]:

[1] https://cs.stanford.edu/people/eroberts/courses/soco/project...

Basically your first solution but encrypt the communication between parties to prevent the n+1 - n attack.

edit - Only say infinite8s reply now, which is almost verbatim my reply including the same link.

[signa11]

> Have a third party generate a set of tokens, one per person, recording only their sum, and randomly distribute them to the group

oooh :) this is pretty cool. thank you !

[infinite8s]

There is a cryptographic subfield called secure multiparty computation that lets you compute something like this (an average where nobody finds out the inputs of others) - https://cs.stanford.edu/people/eroberts/courses/soco/project...