Physical Unclonable Functions (PUFs) are increasingly becoming
a well-known security primitive for secure key storage
and anti-counterfeiting. For both applications it is imperative
that PUFs provide enough entropy. The aim of this paper
is to propose a new model for binary-output PUFs such as
SRAM, DFF, Latch and Buskeeper PUFs, and a method to
accurately estimate their entropy. In our model the measurable
property of a PUF is its set of cell biases. We determine
an upper bound on the \'extractable entropy\', i.e. the number
of key bits that can be robustly extracted, by calculating the
mutual information between the bias measurements done at
enrollment and reconstruction.
In previously known methods only uniqueness was studied
using information-theoretic measures, while robustness was
typically expressed in terms of error probabilities or distances.
It is not always straightforward to use a combination of these
two metrics in order to make an informed decision about
the performance of different PUF types. Our new approach
has the advantage that it simultaneously captures both of
properties that are vital for key storage: uniqueness and
robustness. Therefore it will be possible to fairly compare
performance of PUF implementations using our new method.
Statistical validation of the new methodology shows that
it clearly captures both of these properties of PUFs. In other
words: if one of these aspects (either uniqueness or robustness)
is less than optimal, the extractable entropy decreases.
Analysis on a large database of PUF measurement data shows
very high entropy for SRAM PUFs, but rather poor results
for all other memory-based PUFs in this database.