Physical Unclonable Functions (PUFs) are increasingly becominga well-known security primitive for secure key storage

and anti-counterfeiting. For both applications it is imperative

that PUFs provide enough entropy. The aim of this paper

is to propose a new model for binary-output PUFs such as

SRAM, DFF, Latch and Buskeeper PUFs, and a method to

accurately estimate their entropy. In our model the measurable

property of a PUF is its set of cell biases. We determine

an upper bound on the \'extractable entropy\', i.e. the number

of key bits that can be robustly extracted, by calculating the

mutual information between the bias measurements done at

enrollment and reconstruction.

In previously known methods only uniqueness was studied

using information-theoretic measures, while robustness was

typically expressed in terms of error probabilities or distances.

It is not always straightforward to use a combination of these

two metrics in order to make an informed decision about

the performance of different PUF types. Our new approach

has the advantage that it simultaneously captures both of

properties that are vital for key storage: uniqueness and

robustness. Therefore it will be possible to fairly compare

performance of PUF implementations using our new method.

Statistical validation of the new methodology shows that

it clearly captures both of these properties of PUFs. In other

words: if one of these aspects (either uniqueness or robustness)

is less than optimal, the extractable entropy decreases.

Analysis on a large database of PUF measurement data shows

very high entropy for SRAM PUFs, but rather poor results

for all other memory-based PUFs in this database.