An RFID system generally consists of tags, readers, and backend servers with the readers charged with authenticating/identifying the tags with the help of the servers. Two important enhancements have been suggested for widespread adoption of RFIDs, namely the use of low cost (5¢ or less) passive RFID tags and serverless system design to overcome the need for persistent connection between the readers and the servers. Unfortunately, the low cost tags lack computation and storage capabilities to implement sophisticated security protocols to provide tag privacy and anonymous mutual authentication between the readers and the tags. Although several schemes (including some serverless schemes) have been proposed for authentication between tags and readers, they invariably have stringent computation and storage requirements and cannot be implemented in passive tags. In this paper, we propose SAMA, a novel serverless and anonymous mutual authentication scheme for a system consisting of passive tags and readers. Our scheme uses non-linear feedback shift registers and only logical operations to provide robust and anonymous mutual authentication. We perform security analyses and performance evaluation of SAMA and demonstrate its effectiveness and efficiency in comparison with other popular schemes in the literature. Our scheme requires only three message communications between the tag and the reader. Additionally, it requires only 1393 gates and 70 clock cycles at the tag.