diff --git a/ch08_signatures.adoc b/ch08_signatures.adoc
index 2dd7fb7a..e30594e4 100644
--- a/ch08_signatures.adoc
+++ b/ch08_signatures.adoc
@@ -601,7 +601,7 @@ Alice and Bob need to derive the public key for +x+, which is +xG+.
 Since it's possible to use elliptic curve operations to add two EC
 points together, they start by Alice deriving +yG+ and Bob deriving
 +zG+.  They then add them together to create +xG = yG + zG+.  The point
-+xG+ is their _aggregated public key_.  To create a signature, they begin the
++xG+ is ((("aggregated public keys")))((("public keys", "aggregated")))their _aggregated public key_.  To create a signature, they begin the
 simple multisignature protocol:
 
 1. They each individually choose a large random private nonce, +a+ for
@@ -632,7 +632,7 @@ to their own public key.  For example, Alice generates her public key
 using +zG - yG+.  When their two keys are combined (+yG + zG - yG+), the
 positive and negative +yG+ terms cancel out so the public key only represents
 the private key for +z+, i.e., Bob's private key.  Now Bob can create a
-valid signature without any assistance from Alice.  This is called a
+valid signature without any assistance from Alice.  This is ((("key cancellation attacks")))called a
 _key cancellation attack_.
 
 There are various ways to solve the key cancellation attack.  The