The HashToCurve circuit, parameterised by the message length (in bytes), is located at circuits/circom/hash_to_curve.circom. It implements the hash-to-curve suite described here on grumpkin curve.

The algorithm it follows is as such:

hash_to_curve(msg)

Input: msg, an arbitrary-length byte string.
Output: P, a point in the secp256k1 curve.

Steps:
1. u = hash_to_field(msg)
2. Q0 = map_to_curve(u[0])
3. Q1 = map_to_curve(u[1])
4. R = iso_map(Q0) + iso_map(Q1)
5. return P

Implemented in circuits/circom/hash_to_field.circom. Follows the algorithm described here.

Implemented in circuits/circom/map_to_curve.circom. Follows the SSWU algorithm described here.

Our library is a fork of secp256k1_hash_to_curve developed by Geometry. This product includes software developed by ABDK Consulting. In particular, min function and FieldSqrt template in map_to_curve.circom is taken from min.circom and FieldSqrt.circom in abdk-libraries-circom developed by ABDK Consulting.