RFID technologies in IoT systems enable to recognize animate or inanimate objects via radio frequency signals. However, RFID has several privacy problems such as object tracking by reading and tracking the ID transmitted from the RFID-tag. To solve such problems, it is required that the RFID-tag should transmit its information to only legitimate readers, i.e., mutual authentication between the RFID-tag and the back-end system is required. This paper proposes a hash-function based mutual authentication protocol for low-cost RFID-tags in which calculation resources are limited. To prevent attackers eavesdropping tag's ID, randomly-picked nicknames shared between the RFID-tag and the back-end system are transmitted in the air. Simulation results show that our protocol consumes less time than a famous mutual authentication protocol, the Gossamer protocol. Security and performance analyses show that our protocol is superior to existing protocols. Thus, this paper demonstrates great potentials in the application into low-cost RFID in IoT systems.