There are a number of ways to deal with some of the objections that have
come up in this thread; e.g. the unlucky user scenario.
Refer to the paper Micropayments Revisited written by Silvio Micali
and Ron Rivest:
http://theory.lcs.mit.edu/~rivest/publications.html
[The powerpoint slides
The idea is also similar to timing attacks against very, very
badly-implemented password checking schemes; e.g. where a reply by some
verifying server to a correct guess on the first n characters of a
password takes slightly longer than a reply to a correct guess on only
the initial n-1 characters
