diff --git a/supporting-docs/guides/2016-10-18-e2e_implementation.rst b/supporting-docs/guides/2016-10-18-e2e_implementation.rst
index 017838c4..a018a410 100644
--- a/supporting-docs/guides/2016-10-18-e2e_implementation.rst
+++ b/supporting-docs/guides/2016-10-18-e2e_implementation.rst
@@ -132,18 +132,18 @@ should construct a JSON object as follows:
 
   {
     "algorithms": ["m.olm.v1.curve25519-aes-sha2", "m.megolm.v1.aes-sha2"],
-    "device_id": "<deviceId>",
+    "device_id": "<device_id>",
     "keys": {
-      "curve25519:<deviceId>": "<curve25519_key>",
-      "ed25519:<deviceId>": "<ed25519_key>"
+      "curve25519:<device_id>": "<curve25519_key>",
+      "ed25519:<device_id>": "<ed25519_key>"
     },
-    "user_id: <userId>"
+    "user_id: <user_id>"
   }
 
 The object should be formatted as `Canonical
 JSON <http://matrix.org/docs/spec/server_server/unstable.html#canonical-json>`__,
 then signed with ``olm_account_sign``; the signature should be added to
-the JSON as ``signatures.<userId>.ed25519:<deviceId>``.
+the JSON as ``signatures.<user_id>.ed25519:<device_id>``.
 
 The signed JSON is then uploaded via
 ``POST /_matrix/client/unstable/keys/upload``.
@@ -168,7 +168,7 @@ maintain about half this number on the homeserver.
 
 To generate new one-time keys:
 
-* Call ``olm_account_generate_one_time_keys`` to generate new keys
+* Call ``olm_account_generate_one_time_keys`` to generate new keys.
 
 * Call ``olm_account_one_time_keys`` to retrieve the unpublished keys. This
   returns a JSON-formatted object with the single property ``curve25519``,
@@ -184,22 +184,60 @@ To generate new one-time keys:
       }
     }
 
-* Construct a JSON object as follows:
+* Each key should be signed with the account key. To do this:
+
+  * Construct a JSON object as follows:
+
+    .. code:: json
+
+       {
+         "key": "<curve25519_key>"
+       }
+
+  * Call ``olm_account_sign`` to calculate the signature.
+
+  * Add the signature should be added to the JSON as
+    ``signatures.<user_id>.ed25519:<device_id>``.
+
+  * The complete key object should now look like:
+
+    .. code:: json
+
+       {
+         "key": "wo76WcYtb0Vk/pBOdmduiGJ0wIEjW4IBMbbQn7aSnTo",
+         "signatures": {
+           "@alice:example.com": {
+             "ed25519:JLAFKJWSCS": "dSO80A01XiigH3uBiDVx/EjzaoycHcjq9lfQX0uWsqxl2giMIiSPR8a4d291W1ihKJL/a+myXS367WT6NAIcBA"
+           }
+         }
+       }
+
+
+* Aggregate all the signed one-time keys into a single JSON object as follows:
 
   .. code:: json
 
     {
       "one_time_keys": {
-        "curve25519:<keyId>": "<curve25519_key>",
+        "signed_curve25519:<key_id>": {
+          "key": "<curve25519_key>",
+          "signatures": {
+            "<user_id>": {
+              "ed25519:<device_id>": "<signature>"
+            }
+          }
+        },
+        "signed_curve25519:<key_id>": {
+          ...
+        },
         ...
       }
     }
 
-* Upload the object via ``POST /_matrix/client/unstable/keys/upload``. (Unlike
-  the device keys, the one-time keys are **not** signed.
+* Upload the object via ``POST /_matrix/client/unstable/keys/upload``.
 
 * Call ``olm_account_mark_keys_as_published`` to tell the olm library not to
-  return the same keys from a future call to ``olm_account_one_time_keys``\.
+  return the same keys from a future call to ``olm_account_one_time_keys``.
 
 Configuring a room to use encryption
 ------------------------------------
@@ -407,20 +445,20 @@ object containing information on the device, as follows:
 
   {
     "algorithms": [...],
-    "device_id": "<deviceId>",
+    "device_id": "<device_id>",
     "keys": {
-      "curve25519:<deviceId>": "<curve25519_key>",
-      "ed25519:<deviceId>": "<ed25519_key>"
+      "curve25519:<device_id>": "<curve25519_key>",
+      "ed25519:<device_id>": "<ed25519_key>"
     },
     "signatures": {
       "<userId>": {
-        "ed25519:<deviceId>": "<signature>"
+        "ed25519:<device_id>": "<signature>"
       },
     },
     "unsigned": {
       "device_display_name": "<display name>"
     },
-    "user_id: <userId>"
+    "user_id: <user_id>"
   }
 
 The client should first check the signature on this object. To do this,
@@ -601,7 +639,7 @@ create a query object as follows:
 
   {
     "<user id>": {
-      "<device_id>": "curve25519",
+      "<device_id>": "signed_curve25519",
       ...
     },
     ...
@@ -617,15 +655,28 @@ This will return a result as follows:
   {
     "<user id>": {
       "<device_id>": {
-        "curve25519:<key_id>": "<one-time key>"
+        "signed_curve25519:<key_id>": {
+          "key": "<curve25519_key>",
+          "signatures": {
+            "<user_id>": {
+              "ed25519:<device_id>": "<signature>"
+            }
+          }
+        },
       },
       ...
     },
     ...
   }
 
-The client should then pass this key, along with the Curve25519 Identity
-key for the remote device, into ``olm_create_outbound_session``.
+The client should first check the signatures on the signed key objects. As with
+checking the signatures on the device keys, it should remove the ``signatures``
+property, format the remainder as Canonical JSON, and pass the result into
+``olm_ed25519_verify``, using the Ed25519 device key for the ``key`` parameter.
+
+Provided the key object passes verification, the client should then pass the
+key, along with the Curve25519 Identity key for the remote device, into
+``olm_create_outbound_session``.
 
 Handling membership changes
 ---------------------------