Scan-based side-channel attacks retrieve a secret key in a cryptography circuit by analyzing scanned data. Since they must be considerable threats to a cryptosystem LSI, we have to protect cryptography circuits from them. RSA is one of the most important cryptography algorithms because it effectively realizes a public-key cryptography system. RSA is extensively used but conventional scan-based side-channel attacks cannot be applied to it because it has a complicated algorithm. This paper proposes a scan-based side-channel attack which enables us to retrieve a secret key in an RSA circuit. The proposed method is based on detecting intermediate values calculated in an RSA circuit. We focus on a 1-bit time-sequence which is specific to some intermediate values. By monitoring the 1-bit time-sequence in the scan path, we can find out the register position specific to the intermediate value and we can know whether this intermediate value is calculated or not in the target RSA circuit. We can retrieve a secret key one-bit by one-bit from MSB to LSB. The experimental results demonstrate that a 1,024-bit secret key used in the target RSA circuit can be retrieved using 30.2 input messages within 98.3 seconds and its 2,048-bit secret key can be retrieved using 34.4 input within 634.0 seconds.