diff --git a/ch08_signatures.adoc b/ch08_signatures.adoc
index 678153db..5ed22326 100644
--- a/ch08_signatures.adoc
+++ b/ch08_signatures.adoc
@@ -635,7 +635,7 @@ The preceding protocol has several security problems.  Most notable is that one
 party might learn the public keys of the other parties before committing
 to their own public key.  For example, Alice generates her public key
 _yG_ honestly and shares it with Bob.  Bob generates his public key
-using _zG_ – _yG_.  When their two keys are combined (_yG_ + _zG_ – _yG_), the
+using _zG_ – _yG_.  When their two keys are combined [.keep-together]#(_yG_ + _zG_ – _yG_),# the
 positive and negative _yG_ terms cancel out so the public key only represents
 the private key for _z_ (i.e., Bob's private key).  Now Bob can create a
 valid signature without any assistance from Alice.  This is ((("key cancellation attacks")))called a