The design of ultralightweight authentication protocols that conform to low-cost tag requirements is imperative. This paper analyses the most important proposals (except for those based in hard problems such as the HB [1-3] family) in the area [4-6] and identifies the common weaknesses that have left all of them open to various attacks [7] [8] [9] [10] [11] . Finally, we present Gossamer, a new protocol inspired by the recently published SASI scheme [13] , that was lately also the subject of a

more »

... isclosure attack by Hernandez-Castro et al. [14] . Specifically, this new protocol is designed to avoid the problems of the past, and we examine in some deep its security and performance. tags."Lightweight" tags are those whose chip supports a random number generation and simple functions like a Cyclic Redundancy Code (CRC) checksum, but not cryptographic hash function. "Ultralightweight" tags can only compute simple bitwise operations like XOR, AND, OR, etc. These ultralightweight tags represent the greatest challenge in terms of security, due to their expected wide deployment and very limited capabilities.