A PUF is embedded and implemented into a tag or a device, and outputs a noise y with an input of x, based on its own unique physical characteristics. Although x is used multiple times as inputs of PUF, the PUF outputs slightly different noises, ($y_1,{cdots}y_n$), and also the PUF has tamper-resistance property, hence it has been widely used in cryptographic protocol. In this paper, we study how to design a PUF-based RFID authentication protocol in a secure and an efficient way. Compared with recent schemes, the proposed scheme guarantees both authentication and privacy of backword/forward under the compromise of long-term secrets stored in tag. And also, the most cost and time-consumming procedure, key recovery algorithm used with PUF, has been desgined in the side of RFID reader, not in the tag, and, consequently, gives possibility to minimize costs for implementation and running time.