Remove all dependencies, improve security

[paulmillr]

https://github.com/indutny/elliptic/blob/43ac7f230069bd1575e1e4a58394a512303ba803/package.json#L47-L55

I suggest to switch to developed and audited projects:

• bn.js can be dropped, in favor of native bigints, which have been supported everywhere for a long time
• brorand can be dropped in favor of a simple 5-lines-of-code file
• hash.js can be replaced by @noble/hashes, which has been independently audited, and supports tree shaking
• hmac-drbg and secp256k1 implementation can be replaced by @noble/secp256k1, which has been independently audited, uses native bigints, and is getting more and more popular. There is also an optional compatibility layer with old api
• inherits does not seem that useful at this point, since the intro of es6 classes
• minimalistic-assert, minimalistic-crypto-utils can be kept, I suggest to set their versions to a fixed value instead of range

1. This solution is much faster than current elliptic impl.
2. Elliptic is 130KB of minified code right now, which is huge. It can be tiny, a fraction of that.

[thibauld]

I fully second what @paulmillr just suggested.

Except that I would also suggest to remove minimalistic-assert and minimalistic-crypto-utils from the dependencies too. Those packages are respectively 10 and 58 lines of code who haven't been updated for 4 and 6 years, just copy them in code's project. No need to add a dependency to an external package for that :) This would definitely reduce the attack surface for a supply chain attack.

• minimalistic-crypto-utils: https://github.com/indutny/minimalistic-crypto-utils/blob/master/lib/utils.js
• minimalistic-assert: https://github.com/calvinmetcalf/minimalistic-assert/blob/master/index.js

[mbrunt]

I was wondering how long it was going to take for someone to notice brorand. I might code that change up and submit a pull request.