Quantum Bit String Commitment

A bit string commitment protocol securely commits $N$ classical bits in such a way that the recipient can extract only $M<N$ bits of information about the string. Classical reasoning might suggest that bit string commitment implies bit commitment and hence, given the Mayers-Lo-Chau theorem, that non-relativistic quantum bit string commitment is impossible. Not so: there exist non-relativistic quantum bit string commitment protocols, with security parameters $\epsilon$ and $M$, that allow $A$ to commit $N = N(M, \epsilon)$ bits to $B$ so that $A$'s probability of successfully cheating when revealing any bit and $B$'s probability of extracting more than $N'=N-M$ bits of information about the $N$ bit string before revelation are both less than $\epsilon$. With a slightly weakened but still restrictive definition of security against $A$, $N$ can be taken to be $O(\exp (C N'))$ for a positive constant $C$. I briefly discuss possible applications.