The last thing that we need to show is there isn't an easier way to compute d
than finding the factors of n.
This follows from what we just showed--
that if we know the totient, we could easily find the factors,
because the correctness of RSA depends on this property.
That means that there is some integer k such that k  φ(n) is equal to ed - 1,
which means that we already know the value of e.
We're assuming now that we figure out a way to compute d.
If we can solve this, then we know a multiple of the totient.
Once we know a multiple of the totient, it's easy to find the factors p and q.
If there were some easier way to find d than factoring the modulus,
that would provide an easy way to factor.
We finished showing that at least all the obvious mathematical ways
of breaking RSA would easily allow us to factor n.
This certainly doesn't cover issues in implementation
or issues in weak choices of messages or keys,
but assuming all of those things are good
then we've shown that all the obvious mathematical ways to break RSA
are equivalent to factoring n.
That means if factoring is hard, breaking RSA would be hard.
That's the second part of this claim--that factoring is, indeed, hard.
