We propose an entanglement-based quantum bit string commitment protocol whose composability is proven in the random oracle model. This protocol has the additional property of preserving the privacy of the committed message. Even though this property is not resilient against man-in-the-middle attacks, this threat can be circumvented by considering that the parties communicate through an authenticated channel. The protocol remains secure and private (but not composable) if we realize the random oracles as physical unclonable functions (PUFs) in the so-called bad PUF model.
Keywords: composable security; entanglement; physical unclonable functions; privacy; quantum bit commitment.