[graywh]

Have a third party generate a set of tokens, one per person, recording only their sum, and randomly distribute them to the group. Then you don't need to pass the cumulative sum from person to person.

Edit: I guess it doesn't even have to be a third party as long as everyone trusts the randomization (e.g., pulling identical pieces of folded paper from a hat).

[kabouseng]

Yes but you still need to trust the central authority then, meaning one person will know everyone's salary (he who generates all the tokens).

If you really want a cryptographic secure process, the key word to begin your journey would be "secure multiparty computation", and a very appropriate example in the book modern cryptography[1]:

[1] https://cs.stanford.edu/people/eroberts/courses/soco/project...

Basically your first solution but encrypt the communication between parties to prevent the n+1 - n attack.

edit - Only say infinite8s reply now, which is almost verbatim my reply including the same link.

[signa11]

> Have a third party generate a set of tokens, one per person, recording only their sum, and randomly distribute them to the group

oooh :) this is pretty cool. thank you !