

In 2006, Peris-Lopez et al. [1,2,3] initiated the design of ultralightweight RFID protocols – with the UMAP family – involving only simple bitwise logical or arithmetic operations such as bitwise XOR, OR, AND, and addition. This combination of operations was revealed later to be insufficient for the intended security level [12,13]. Then, Chien proposed the SASI protocol [4] with the aim of offering better security by adding the bitwise rotation to the set of supported operations. The SASI protocol represented a milestone in the design of ultralightweight protocols, although certain attacks have been published against this scheme [5,6,7]. In 2008, a new protocol named Gossamer [8] was proposed and the scheme can be considered a further development of both the UMAP family and SASI. Although no attacks have been disclosed against Gossamer, Lee et al. [9] have recently published an alternative scheme that is highly reminiscent of SASI. In this paper, we show that Lee's scheme fails short of many of its security objectives, being vulnerable to several important attacks like traceability, full disclosure, cloning and desynchronization.