Recently, several grouping protocols have been proposed to manage RFID authentication process in the occasion of identifying large numbers of passive tags simultaneously, which is a relatively hot topic in market promotion. In these protocols, however, the identifiers of tags are unsafely transmitted, which is vulnerable to privacy information leakage through eavesdropping. On the other hand, these protocols suffer from tracking problem. In this paper, we propose a novel hash-based grouping authentication protocol on tag groups and multiple readers. In our design, the RFID system is capable of identifying specific tag groups according to real requirements. The messages transmitted between RFID entities are under protection to avoid tracking and eavesdropping. We present two types of verifying methods for the backend processing system (BPS). In addition, mutual authentication is available between the BPS and reader or the reader and tags. The security analysis shows that our protocol is resistant to various attacks and achieves wide compliance to low-cost passive tags.