An RFID system generally consists of tags, readers, and backend servers with the readers charged with authenticating/identifying the tags with the help of the servers. Two important enhancements have been suggested for widespread adoption of RFIDs, namely the use of low cost (5¢ or less) passive RFID tags and serverless system design to overcome the need for persistent connection between the readers and the servers. Unfortunately, the low cost tags lack computation and storage capabilities to implement sophisticated security protocols to provide tag privacy and anonymous mutual authentication between the readers and the tags. Although several schemes have been proposed for mutual authentication, they invariably have stringent computation and storage requirements rendering them un-implementable in passive tags. In this paper, we propose SAMA, a novel serverless and anonymous mutual authentication scheme for a passive tags based RFID system. Our scheme uses non-linear feedback shift registers and only logical operations to provide robust and anonymous mutual authentication. We perform security analyses and performance evaluation of SAMA and demonstrate its effectiveness and efficiency in comparison with popular schemes in the literature. Our scheme requires only three message communications between the tag and the reader and uses only 1393 gates and 70 clock cycles at the tag.