Abstract. We (re-) introduce the Reduce-By-Feedback scheme given by Vielhaber (1987), Benaloh andDai (1995), andJeong andBurleson (1997).We show, how to break RSA, when implemented with the standard version of Reduce-by-Feedback or Montgomery multiplication, by Differential Power Analysis. We then modify Reduce-by-Feedback to avoid this attack. The modification is not possible for Montgomery multiplication.We show that both the original and the modified Reduce-by-Feedback algorithm resist timing attacks.Furthermore, some VLSI-specific implementation details (delayed carry adder, re-use of MUX tree and logic) are provided.