Phonon assets may only be transferred to and from authentic Phonon cards. This prevents exchanging with malicious devices that may duplicate or leak encumbered private keys. This is necessary to provide guarantees around the prevention of double-spends within the protocol. To achieve this, each Phonon card is provided with a certificate signed by a valid issuer. Before transferring assets, a card must check that the other party has a validly signed certificate to prove that it is running an authentic Phonon applet. Then, a transaction can be built and encrypted using a shared secret only known to those two PSMs, via ECDH key exchange. When the sender's card emits the transaction, the sender's card automatically deletes the asset internally, so that the private key will not exist in more than one location.. At this point, the encrypted transaction should now be treated as a collection of assets. The receiver's card (and only that card!) can import and receive the transaction. Consequently, if the transaction is lost or the receiver's card is lost, the assets in that transaction will be unretrievable.