Let $N=pq$ be an RSA modulus, that is, $p$ and $q$ are large, distinct primes.

Let $J_{N}=\{y\in\mathbb{Z}^{*}_{N}:(\frac{y}{N})_{J}=1\}$ denote the set of all integers in $\mathbb{Z}^{*}_{N}$ with Jacobi symbol $1$.

The Quadratic Residuosity (QR) problem is to decide whether a given $y\in J_{N}$ is a quadratic residue modulo $N$ or not, that is, whether $y\in QR_{N}$, where $QR_{N}=\{y\in\mathbb{Z}^{*}_{N}:\exists z\in\mathbb{Z}^{*}_{N}, y=z^{2}\mod N\}$.

Consider the following bit commitment scheme:
\begin{equation*}commit(u,x)=u^{2}y^{x}\mod N,\end{equation*}
where $u\in_{R}\mathbb{Z}^{*}_{N}$, $y\in J_N$ is a quadratic non-residue and $x\in\{0,1\}$.

The commitment corresponds to ciphertexts in the Goldwasser–Micali public key cryptosystem.

*The scheme is information-theoretically binding and computationally hiding*.

**The Question**: Isn't this scheme computationally binding based on quadratic residue hardness assumption, and information theoretically hiding?

Reference: [Lecture Notes Cryptographic Protocols,: pages 33&101, Version 1.8, February 4, 2023, Berry Schoenmakers]

An attempt to show that the scheme is not binding if the sender be able to compute quadratic residue:

Let $y=r^{2}\mod N$, for sum $r\in\mathbb{Z}_{N}$ and the sender knows $r$.

Now the sender does the following:
\begin{equation*}commit(ur,\color{blue}{x=0})=(ur)^{2}y^{x=0}=u^{2}r^{2}=u^{2}y^{x=1}=commit(u,\color{blue}{x=1})\mod N\end{equation*}