From 73d85e245e4c867ad57e92875257222c3db7a087 Mon Sep 17 00:00:00 2001
From: Clawd <ai@clawd.bot>
Date: Thu, 19 Feb 2026 21:44:44 -0800
Subject: Add security/performance disclaimer to README

---
 README.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/README.md b/README.md
index 4bff680..b02fb07 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,16 @@ Building Schnorr signatures on secp256k1 in Go, from first principles.
 
 **Goal:** Understand the math deeply, not just copy formulas. End with a working (non-production) implementation compatible with Bitcoin Taproot and Nostr.
 
+> ⚠️ **Not for production use.**
+>
+> This implementation prioritizes clarity over security and performance:
+>
+> - **Not constant-time.** Uses Go's `big.Int`, which has variable-time operations (branches and memory access patterns that depend on secret values). An attacker measuring timing over many signatures could potentially recover private keys. Production libraries use fixed-size arithmetic with no secret-dependent branches.
+>
+> - **~10x slower than btcec.** `big.Int` means heap allocations on every operation, generic modular reduction, and no assembly. Production libraries use stack-allocated fixed-width limbs, exploit secp256k1's special prime for fast reduction, and hand-tuned assembly.
+>
+> For hobby projects on your own hardware? Fine. For anything with real value at stake, use [btcec](https://github.com/btcsuite/btcd/tree/master/btcec) or [dcrd/secp256k1](https://github.com/decred/dcrd/tree/master/dcrec/secp256k1).
+
 ---
 
 ## Progress
-- 
cgit v1.2.3