diff --git a/proposals/2134-identity-hash-lookup.md b/proposals/2134-identity-hash-lookup.md
index f1df605f..2ac074af 100644
--- a/proposals/2134-identity-hash-lookup.md
+++ b/proposals/2134-identity-hash-lookup.md
@@ -64,9 +64,12 @@ hashed). First the client must prepend the medium to the address:
 "denny@example.com" -> "email denny@example.com"
 ```
 
-Hashes must be peppered in order to reduce both the information a client gains
-during the process, and attacks the identity server can perform (namely sending
-a rainbow table of hashes back in the response to `/lookup`).
+Hashes must be peppered in order to reduce both the information an identity
+server gains during the process, and attacks the client can perform. Clients
+will have to generate a full rainbow table specific to the set pepper to
+obtain all registered MXIDs, while the server has to generate a full rainbow
+table with the specific pepper to get the plaintext 3pids for non-matrix
+users.
 
 In order for clients to know the pepper and hashing algorithm they should use,
 Identity servers must make the information available on the `/hash_details`