[EDIT: its long and full of crypto, but read 6.5.1 last para or two; and 6.5.4 shows you what he's thinking this is good for "bearer certificates" = offline transferable pseudonymous ecash.]
In short it gives you a way to have a smart card that does something very cheap (like one 256-bit mod mul and 256-bit mod add to compute cx+w mod n (a contribution to the signature) Because of the inflow/outflow security arguments the card has no visibility into your privacy, its tamper resistance only protects double spending.
btw I its not so clear in the book, and I reinvented it in my 1995-2005 pre-bitcoin attempts to find a way to deploy a decentalized anonymous ecash, as specified what he is saying is actually not offline respendable, only offline spendable; ie after you've done your spend, before you can respend, you have to deposit the funds in an issuer bank. (And in bitcoin or zerocoin or the 1999 Ta-Shma & Sander "auditable anonymous electronic cash" paper there is no central bank, but you have to send it to the blockchain/zerocoin mix/shared blackboard respectively, but the dependency is still present).
What I figured out is you can offline respend without deposit (without going online) using 0-value coin collection as the initial witness. Very excited when I figured out that in 2000, and I asked Stefan about it, but it turns out there was a masters thesis on this topic and its mentioned in a footnote somewhere in Brands PhD thesis/book referenced above.
Anyway it seems to me you're more interested in offline re-spendability so you need to use that follow-on invention/re-invention.
Why I did nothing with this protocol (eg like rush off and implement it with B-money) is I was thinking it was not good enough - its necessarily, like bitcoin, pseudonymous, and publicly linkable, which I considered, and still do consider to be a privacy problem (and in bitcoin whether you believe in privacy or not, a fungibility problem in addition, hence all the debate about zerocoin, coinjoin, mixers and taint, whether you actually even want anonymity or not, those security concerns of fungibility and anonymity are actually orthogonal - you can have fungibility (via coin anonymity) with pseudonymity, or escrowed identity and other variants just fine). Btw there is a difference between payment confidentiality and pseudonymity/anonymity also, you can have payment confidentiality with or without pseudonymity/escrowed identity pseudonymity/anonymity. Bitcoin has limited payment confidentiality (you have to work hard with wallet control, which is not implemented, and disciplined fund separation, and mixes/coinjoining is of apparently statistically weak value according to the data analysts who have looked at the network flow statistics. And thats a problem. If nothing else we need to make bitcoin payment amounts confidential (eg homomorphic value encryption). And even payees is extremely invasive if you think about it. Oh the public can see you bought an ebook from this publisher. Or you bought a condom pack from this supplier. etc Its ridiculously invasive as is, and if your credit card issue or bank account put your statements online like the block chain there would be a public outcry.
Also I have to say I am not someone convinced by the offline respendability security argument. Even if there is a fidelity bond, the problem is offline respendable card is a license to print money, and people will just spend a multiple of the fidelity bond or try to. One somewhat defense is that if multiple people have offline respenable money flowing around, some of them are going to convert it to online ("deposit" it) and as soon as that happens the double-spend hw hack is blown. You want to pass a "this key and card series hacked" protocol revocation cert through the network, and switch to the ciphersuite/keyset B while working on deploying card C or firmware upgrade C.
Adam
