[bzbarsky]

What threat model are you defending against?

Because the people at positions N and N+2 in your scheme can collude to determine the salary of the person at position N+1 without even having to reveal their own salaries in the process...

[signa11]

> What threat model are you defending against?

umm, not really trying to prevent from folks actively sabotage the whole thing, but just seeing if it actually works i.e gives the correct average salary...

but yes, as you have pointed out, people at N and N+2 can collude to get the original salary (for N+1).

[graywh]

Have a third party generate a set of tokens, one per person, recording only their sum, and randomly distribute them to the group. Then you don't need to pass the cumulative sum from person to person.

Edit: I guess it doesn't even have to be a third party as long as everyone trusts the randomization (e.g., pulling identical pieces of folded paper from a hat).

[kabouseng]

Yes but you still need to trust the central authority then, meaning one person will know everyone's salary (he who generates all the tokens).

If you really want a cryptographic secure process, the key word to begin your journey would be "secure multiparty computation", and a very appropriate example in the book modern cryptography[1]:

[1] https://cs.stanford.edu/people/eroberts/courses/soco/project...

Basically your first solution but encrypt the communication between parties to prevent the n+1 - n attack.

edit - Only say infinite8s reply now, which is almost verbatim my reply including the same link.

[signa11]

> Have a third party generate a set of tokens, one per person, recording only their sum, and randomly distribute them to the group

oooh :) this is pretty cool. thank you !