once Seraphis activates, will users be forced to switch to Polyseed mnemonics, or will it be possible to derive Seraphis+Jamtis addresses from their existing 25-word mnemonics?

The latter. You just continue with your 25 word seed.

There is no immediate technical link between Seraphis and Polyseed, by the way, we might introduce it even earlier

In fact, Feather Wallet supports it already now

Whether with Seraphis you will be able to generate *new* wallets giving you a new 25 word seed will probably be matter of the wallet app

Maybe, maybe not

I wrote an entry in the FAQ about it: github.com/seraphis-migration/strat…my-seed-still-work-with-Seraphis%3F

excellent, thank you

so it doesn't matter if the mnemonic is a legacy or a Polyseed one, as long as the hexadecimal seed (in xmr.llcoins.net terms) is the same, they will yield the same addresses as long as they use the same transaction protocol and address derivation scheme (CryptoNote vs. Sefaphis+Jamtis). is that correct?

*Seraphis

Yes, the 256 bits of your spend secret key is what really matters, and that will live on and give you access to all your coins, pre-Seraphis and post-Seraphis

And these bits also ultimately give you your addresses

I see

however, IIUC, in Polyseed the mnemonic words and private spend key bits no longer have a bidirectional relationship (unlike in legacy mnemonics), so e.g. you can't construct a Polyseed that has the same private spend key you had in your legacy mnemonic. not that this would be a goal of Polyseed, just noting

I think so, yes. But like you, I think that's not a problem for anything important.

not for anything important at the moment, just something that would have been cool (to be able to switch from legacy to Polyseed and preserving addresses). however, if at a future point support goes away for legacy mnemonics in wallets, then people won't be able to restore hardware wallet balances in regular Monero software wallets. right now that's possible, thanks to the bidirectional relationship

I really don't expect support for any kind of seed ever going away. For me that goes against anything that Monero stands for: You can depend on it.

Anyway, the algorithms are all known, and should wallet really drop something, it should be no problem to build stand-alone rescue tools

I really like this principle. "Monero: You can depend on it." I hope it will survive for a very long time!

tevador: Regarding 2-adicity, zcash.github.io/halo2/concepts/arithmetization.html

zcash.github.io/halo2/background/fields.html#multiplicative-subgroups for the theory, and for the pasta commentary zcash.github.io/halo2/design/implementation/fields.html