Gossamer: weaknesses and performance

In this paper, we focus on Gossamer, a well-known ultralightweight authentication protocol, introduced in 2008. Our contributions are the following: we analyze the structure of the MixBits function, a key component of the protocol, and show that it does not realize a pseudorandom function, not even in a weak form; we show, by employing artificial intelligence techniques, that tags are distinguishable; finally, we study the performance of Gossamer and show that it does not provide a substantial saving, compared to a standard three-round mutual authentication protocol, implemented with lightweight primitives. We close the paper with further comments and remarks.