Update README: mark Schnorr complete, add compat test instructions

1 files changed, 20 insertions, 5 deletions

diff --git a/README.md b/README.md
index 0c7af3e..da522d6 100644
--- a/README.md
+++ b/README.md
@@ -26,11 +26,11 @@ Building Schnorr signatures on secp256k1 in Go, from first principles.
 - [x] **Why it's hard to reverse** — the discrete log problem
 
 ### Part 4: Schnorr Signatures (BIP-340)
-- [ ] **X-only public keys** — 32 bytes, implicit even y
-- [ ] **The signing algorithm** — nonce, challenge, response
-- [ ] **Why random nonce matters** — reuse = leaked private key
-- [ ] **The verification equation** — checking without knowing the private key
-- [ ] **Tagged hashes** — domain separation for security
+- [x] **X-only public keys** — 32 bytes, implicit even y
+- [x] **The signing algorithm** — nonce, challenge, response
+- [x] **Why random nonce matters** — reuse = leaked private key
+- [x] **The verification equation** — checking without knowing the private key
+- [x] **Tagged hashes** — domain separation for security
 
 ### Part 5: Serialization
 - [x] **Bech32 encoding** — human-readable format (npub, nsec)
@@ -58,6 +58,21 @@ This implementation targets:
 
 Not implemented: ECDSA (used by legacy Bitcoin, Ethereum)
 
+### Compatibility Tests
+
+Verified against `btcec/v2` (the library used by most Go Bitcoin/Nostr projects):
+
+```bash
+go get github.com/btcsuite/btcd/btcec/v2
+go test -tags=compat ./...
+```
+
+Tests confirm:
+- Key derivation produces identical public keys
+- Signatures created here verify with btcec
+- Signatures from btcec verify with our code
+- All 14 official BIP-340 test vectors pass
+
 ---
 
 ## Resources