How do they prevent double spends?<p>Suppose Eve has $100 on her phone she could send to either Alice or Bob's phone.<p>To me, "permitting offline transactions" means Eve's phone can generate a message that says "Here's $100, Alice" -- and Alice's phone will accept that transaction. Likewise, it could generate a message that says "Here's $100, Bob" -- and Bob's phone will accept that transaction.<p>Now the software on Eve's phone might be coded to prevent both messages from being sent. But Eve has physical control of her phone and can modify the software or its database (i.e. backup the database, send the Alice message, then restore the backup so the software thinks Eve still has $100 and permits the Bob message to be sent.)<p>Now if Alice and Bob connected to each other, a central server, or a decentralized blockchain, they could see that Eve is executing a double spend. But that goes against the idea of "offline digital cash".<p>Actually reading this, they did think about it. The protected keys are handled by a "secure element" but it seems...like an awfully thin line, given Eve could open up her phone and access PCB traces, or write custom software to say "Yeah this transaction was totally processed by the secure element, for real!" but actually it was written by Eve.<p>And the secure element chips have to be manufactured somewhere, would anyone know if a backdoor was slipped in there?