A bit string commitment protocol securely commits $N$ classical bits so that the recipient can extract only $M<N$ bits of information about the string. Classical reasoning suggests that bit string commitment implies bit commitment and hence, given the Mayers-Lo-Chau theorem, that nonrelativistic quantum bit string commitment is impossible. Not so: there exist nonrelativistic quantum bit string commitment protocols, with security parameters $ϵ$ and $M$, that allow $A$ to commit $N=N(M,ϵ)$ bits to $B$ so that $A$’s probability of successfully cheating when revealing any bit and $B$’s probability of extracting more than $N^{\prime }=N-M$ bits of information about the $N$ bit string before revelation are both less than $ϵ$. With a restrictive definition of security against $A$, $N$ can be taken to be $O\mathbf{(}\exp (C{N}^{\prime })\mathbf{)}$ for a positive constant $C$. I briefly discuss possible applications.

• Received 1 October 2001

DOI:https://doi.org/10.1103/PhysRevLett.90.237901