Of course, but if the seller has to manually inspect the program for every transaction, is this really all that useful?

There are a myriad of ways to leak timing information from something like this, and to mask them amongst legitimate-seeming computations.

It seems like if you're having to rely on manual program inspection, then you've already lost.

The amount of execution time is a simple public parameter of the system.

These schemes require reducing the verification program to a circuit in advance, so its execution time is already fixed by virtue of that translation.

(In practice the existing implementation is not using constant time cryptography; and so it could have timing/cache/EMI side-channels; but this is "just engineering")

Ah, of course, just fix the run time. I should have realized that. Thanks.

Nice work!