> you had a digital cash system in which the money was redeemable for CPU time in a secure outsourcing system ... It is of course possible that such a system could not be securely realized for technical reasons
I don't see how it could be possible to design a system were useful CPU work done for others was turned into tokens, as one could simply create a whole bunch of fake work. The fundamental question is who is the counterparty to the tokens? If it's the entity selling CPU time, then you're dealing with a gift card system that doesn't scale to a real currency. If it's not, then you're no longer describing the payment system but have switched to describing an application of it.
> What is the formal definition of computing power here
Clearly it's just the ability to calculate SHA2 preimages. If you want something better, you've got to come up with that formality and an implementation to show that it is practical.
I'm having a hard time responding because it seems like you want to postulate systems with these nice-sounding properties, but it seems apparent to me that you'd never be able to connect them with proofs to make a system. You simply won't be able to build proofs of work for something as simplistic as "number of gates evaluated" (and if you're talking about 'gates' in MPC, you're really just talking about eg group operations).
> If the attacker can only scale their computation by some polynomial in the parameters of the system, the attacker can only enter some polynomial number of parties
What you're describing here is Bitcoin. You've just been spoiled with attackers usually needing exponential resources. As I said, your formalities are misleading you - crypto algorithms may work this way, but not everything does! An algorithm cannot discern good guys from bad guys, meaning they're both on equal footing and the best we can do is have a power balance.
I don't see how it could be possible to design a system were useful CPU work done for others was turned into tokens, as one could simply create a whole bunch of fake work. The fundamental question is who is the counterparty to the tokens? If it's the entity selling CPU time, then you're dealing with a gift card system that doesn't scale to a real currency. If it's not, then you're no longer describing the payment system but have switched to describing an application of it.
> What is the formal definition of computing power here
Clearly it's just the ability to calculate SHA2 preimages. If you want something better, you've got to come up with that formality and an implementation to show that it is practical.
I'm having a hard time responding because it seems like you want to postulate systems with these nice-sounding properties, but it seems apparent to me that you'd never be able to connect them with proofs to make a system. You simply won't be able to build proofs of work for something as simplistic as "number of gates evaluated" (and if you're talking about 'gates' in MPC, you're really just talking about eg group operations).
> If the attacker can only scale their computation by some polynomial in the parameters of the system, the attacker can only enter some polynomial number of parties
What you're describing here is Bitcoin. You've just been spoiled with attackers usually needing exponential resources. As I said, your formalities are misleading you - crypto algorithms may work this way, but not everything does! An algorithm cannot discern good guys from bad guys, meaning they're both on equal footing and the best we can do is have a power balance.