Aiming at the security problem in mobile radio frequency identification (RFID) systems, we employ the physical unclonable function (PUF) to study authentication protocol in mobile and largescale RFID systems. To solve the problem of impersonation attack to the reader, the Vaudenay’s model is extended by introducing the corrupting ability of the adversary to the reader and the reader is further authenticated by the server. To solve the problem of insufficient computation ability of tag and longtime cost of the server for  searching target tag, the PUF is adopted to generate the session key to reduce the computation cost of tag encryption, and the server quickly identifies the tag and the reader using the shared key XOR operations. Our analysis proves that the proposed security protocol can realize destructive privacy according to the Vaudenay's model theory. Simulation results show that the search time of the server in PMLS protocol does not increase with the number of the tag by using the proposed security protocol, which meets the application requirements of mobile and large scale RFID systems.