FuSaR: Fuzzification Balancing Safety & Reasoning
- FuSaR is an alignment strategy that applies fuzzification to LRMs to detoxify harmful reasoning while preserving logical structure and scientific accuracy.
- It transforms explicit reasoning traces into safe, abstracted versions using entity, numerical, and operational modifications to mitigate jailbreak risks.
- FuSaR demonstrates reduced Attack Success Rates and improved reasoning accuracy compared to direct refusals, marking a distinct approach in LRM safety alignment.
Searching arXiv for the specified FuSaR paper and closely related safety-reasoning work to ground the article in current literature. FuSaR, short for Fuzzification to Balance Safety–Reasoning, is an alignment strategy for Large Reasoning Models (LRMs) that detoxifies the model’s explicit reasoning traces rather than suppressing reasoning altogether. In the formulation reported for LRMs such as DeepSeek-R1 and its distill variants, a model answering a query produces , where is reasoning text and is the final response; FuSaR replaces with a fuzzified reasoning , and trains models on outputs of the form (Chen et al., 18 Aug 2025). The method is motivated by a specific tension in LRMs: their explicit multi-step reasoning improves problem solving, yet that same reasoning can amplify jailbreak vulnerability by producing detailed harmful chains. FuSaR addresses this tension by hiding dangerous entities and dangerous procedures in the reasoning steps while preserving the logical structure, scientific correctness, and semantic coherence of the reasoning chain (Chen et al., 18 Aug 2025).
1. Safety–reasoning tension in large reasoning models
FuSaR is grounded in the claim that LRMs exhibit a target competition between a reasoning target and a safety target (Chen et al., 18 Aug 2025). In the reported formulation, LRMs are a subclass of LLMs that produce structured chain-of-thought-like output explicitly separated into reasoning and response, often using a format such as > ... followed by the final answer (Chen et al., 18 Aug 2025). This explicit reasoning output creates a new safety surface: even when the final response is safe, the reasoning phase can contain detailed harmful instructions (Chen et al., 18 Aug 2025).
The motivating empirical result is a concretization-based jailbreak. A malicious prompt is rewritten through Intent identification, Association, and Rewriting so that the new prompt is more concrete, contains more entities, parameters, and conjunctions, and more strongly activates the model’s reasoning target (Chen et al., 18 Aug 2025). The paper reports that this rewritten prompting substantially increases attack success rates. For example, for DeepSeek-R1, Reasoning ASR rises from 27.69% on original AdvBench prompts to 65.19% on rewritten prompts, while Response ASR rises from 5.00% to 22.50% (Chen et al., 18 Aug 2025). Across the evaluated models, ASR increases by 8–37 percentage points in reasoning, and 5–26 points in response, when using rewritten prompts (Chen et al., 18 Aug 2025). This is presented as direct empirical evidence that strengthening reasoning through concretization can weaken effective safety (Chen et al., 18 Aug 2025).
This diagnosis places FuSaR in a broader line of work on safety-aware reasoning. Related approaches include dynamic self-correction over chain-of-thought in "AdvChain" (Zhu et al., 29 Sep 2025), adaptive safety reasoning with reward shaping in "Reasoning as an Adaptive Defense for Safety" (Kim et al., 1 Jul 2025), step-wise safety pivoting in "Reasoning-to-Defend" (Zhu et al., 18 Feb 2025), and reasoning-structure modification in "Reasoning Structure Matters for Safety Alignment of Reasoning Models" (In et al., 21 Apr 2026). A plausible implication is that FuSaR belongs to the subset of LRM alignment methods that intervene directly in the reasoning process rather than only in the final answer.
2. Formal formulation and alignment pipeline
The central formal equations reported for FuSaR are:
0
1
These equations define the method at the data level: the original reasoning 2 is transformed into detoxified reasoning 3, and the final response is replaced by a safe rejection generated independently of the model’s original harmful answer (Chen et al., 18 Aug 2025).
The alignment pipeline has five stages (Chen et al., 18 Aug 2025). First, data construction begins from harmful QA data such as HarmfulQA, then applies the jailbreak rewriting method to obtain more concrete harmful queries. Second, a base LRM is queried to produce 4, and harmful reasoning paths are identified and removed or fuzzified. Third, the reasoning trace is transformed by a structured fuzzification procedure to produce 5. Fourth, the final response 6 is generated by a high-safety instructed LLM, specifically Qwen3-235B-A22B, using safety prefix prompts (Chen et al., 18 Aug 2025). Fifth, the resulting pairs 7 are used for supervised fine-tuning (Chen et al., 18 Aug 2025).
The training setup is standard supervised fine-tuning rather than a custom optimization scheme. The reported training corpus contains 1025 examples. Fine-tuning is performed on five DeepSeek-R1 distills—DeepSeek-R1-Distill-Qwen-1.5B, DeepSeek-R1-Distill-Qwen-7B, DeepSeek-R1-Distill-Llama-8B, DeepSeek-R1-Distill-Qwen-14B, and DeepSeek-R1-Distill-Qwen-32B—with learning rate 8, batch size 128, max sequence length 8192, on 8× A800 GPUs (Chen et al., 18 Aug 2025). The paper explicitly states that it does not introduce new neural architectures or custom loss functions beyond standard supervised fine-tuning (Chen et al., 18 Aug 2025).
This places FuSaR in contrast to RL-based safety-reasoning methods. TARS, for example, trains reasoning policies with GRPO and separate safety and task-completion rewards (Kim et al., 1 Jul 2025), while R2D adds step-wise safety pivot tokens and a contrastive objective (Zhu et al., 18 Feb 2025). FuSaR instead operates by curating and transforming supervised reasoning data (Chen et al., 18 Aug 2025).
3. Fuzzification of reasoning traces
In FuSaR, fuzzification is defined as a semantic obfuscation transform inspired by anonymization and desensitization techniques such as suppression, generalization, masking, and distortion (Chen et al., 18 Aug 2025). The aim is not to erase reasoning, but to preserve its abstract inferential structure while removing actionable harmful content. The method enforces Three Keeps and Two Eliminations (Chen et al., 18 Aug 2025).
| Principle | Content |
|---|---|
| Three Keeps | Keep the logical chain; Keep scientific accuracy; Keep semantic coherence |
| Two Eliminations | Eliminate hazardous operating details; Eliminate offensive or objectionable expressions |
The paper distinguishes two major categories of harmful reasoning (Chen et al., 18 Aug 2025). The first is procedural reasoning, which contains step-by-step actionable instructions such as weapon construction or chemical synthesis. The second is logical reasoning, which contains harmful discourse or justification such as bullying strategies or ideological manipulation (Chen et al., 18 Aug 2025). Each category is fuzzified differently.
For procedural reasoning, FuSaR applies three transformations (Chen et al., 18 Aug 2025). Entity fuzzification extracts harmful entities such as specific chemicals, devices, or targets and replaces them with higher-level concepts. Numerical fuzzification replaces precise parameters—temperatures, concentrations, durations, dimensions—with vague but semantically coherent descriptions. Operation chain truncation removes fine-grained operational sequences while retaining key thinking steps and high-level results (Chen et al., 18 Aug 2025). The paper’s examples include replacing “Heat to 180°C for 30 minutes” with “Heat to a high temperature for a period of time,” and replacing detailed multistep synthesis instructions with a high-level statement about combining substances and applying standard purification methods, accompanied by the caveat that such procedures should not be performed in practice (Chen et al., 18 Aug 2025).
For logical reasoning, the method applies entity fuzzification and concept deconstruction (Chen et al., 18 Aug 2025). Entity fuzzification abstracts specific targeted people or groups into generic placeholders such as “the target” or “a person.” Concept deconstruction rewrites misleading, biased, or harmful conceptual claims toward factual accuracy and responsible representation (Chen et al., 18 Aug 2025). This suggests that FuSaR treats harmful reasoning not only as procedural leakage but also as the transmission of harmful justificatory structures.
A crucial feature is that the fuzzification transform is implemented via an LLM with few-shot prompting (Chen et al., 18 Aug 2025). The fuzzifier is instructed to extract dangerous entities and parameters, replace them with higher-level abstractions, and simplify or reorganize the reasoning while preserving logical flow (Chen et al., 18 Aug 2025). A plausible implication is that FuSaR functions as a data-transformation pipeline more than as an inference-time controller.
4. Safety evaluation and reasoning retention
FuSaR evaluates safety primarily through Attack Success Rate (ASR), measured separately for the reasoning phase and the final response (Chen et al., 18 Aug 2025). Outputs are classified using Llama-Guard, and ASR is defined as:
9
Reasoning capability is measured by accuracy on ARC-Easy and ARC-Challenge (Chen et al., 18 Aug 2025). The balancing objective is empirical rather than encoded as a single scalar optimization target: the method is assessed by how much ASR decreases and how Acc changes after fine-tuning (Chen et al., 18 Aug 2025).
The reported safety gains relative to SafeChain are substantial. For R1-Qwen-32B, Reasoning ASR on AdvBench is reported as 44.23% / 67.88% (Origin / Rewrite) for SafeChain and 19.42% / 37.69% for FuSaR (Chen et al., 18 Aug 2025). On the response side for the same model, SafeChain yields 7.88% / 35.00%, while FuSaR yields 0.19% / 14.81% (Chen et al., 18 Aug 2025). The paper states that FuSaR shows consistently lower ASRs than SafeChain across models, often by large margins (Chen et al., 18 Aug 2025).
The reasoning results are used to argue that the method does not merely trade safety for refusal. For R1-Qwen-32B, ARC-Easy improves from 97.89% to 98.77%, and ARC-Challenge from 95.65% to 96.32% under FuSaR (Chen et al., 18 Aug 2025). For R1-Qwen-1.5B, ARC-Easy rises from 73.86% to 88.07%, and ARC-Challenge from 60.20% to 84.28% (Chen et al., 18 Aug 2025). By contrast, DirectRefusal sharply reduces reasoning accuracy; for R1-Qwen-32B, ARC-Easy drops to 62.28% and ARC-Challenge to 59.20% (Chen et al., 18 Aug 2025).
These results position FuSaR against a broader safety–utility literature. AdvChain reports improvements in robustness and over-refusal by teaching dynamic correction of harmful and over-cautious reasoning (Zhu et al., 29 Sep 2025). TARS shows that mixing harmful, harmless, and ambiguous prompts with separate reward branches improves the safety-refusal trade-off (Kim et al., 1 Jul 2025). AltTrain argues that altering reasoning structure can dramatically reduce harmfulness with lightweight SFT (In et al., 21 Apr 2026). FuSaR differs in that its central object is not the trajectory policy or reasoning structure alone, but the content transformation of reasoning traces (Chen et al., 18 Aug 2025).
5. Ablations, mechanisms, and relation to neighboring methods
The main ablation reported for FuSaR is w/o-reasoning, which fine-tunes only on the safe response 0, removing fuzzified reasoning from the training data (Chen et al., 18 Aug 2025). This ablation performs better than the base model but worse than full FuSaR on both safety and reasoning metrics. For example, on R1-Qwen-32B, Reasoning-ASR (Origin) is 43.65% for Base, 39.23% for w/o-reasoning, and 19.42% for FuSaR (Chen et al., 18 Aug 2025). On ARC, w/o-reasoning improves slightly over Base but not as much as FuSaR (Chen et al., 18 Aug 2025). The paper interprets this as evidence that including detoxified reasoning in the training data is crucial for simultaneously enhancing safety and reasoning (Chen et al., 18 Aug 2025).
This mechanism places FuSaR near but not identical to several contemporary alignment paradigms. R2D embeds safety pivot tokens—[[SAFE](https://www.emergentmind.com/topics/surrogate-assisted-and-fine-tuning-enhanced-safe)], [UNSAFE], [RETHINK]—into reasoning traces and trains step-wise safety awareness (Zhu et al., 18 Feb 2025). AdvChain trains on Temptation-Correction and Hesitation-Correction sequences so that models learn to recover from harmful drift and unnecessary refusal (Zhu et al., 29 Sep 2025). AltTrain changes the canonical reasoning pattern from Problem Understanding 1 Solution Reasoning to Problem Understanding 2 Harmfulness Assessment 3 Conditional Reasoning (In et al., 21 Apr 2026). FuSaR instead preserves the inferential topology of the original reasoning but removes entities, procedures, and expressions that create safety risk (Chen et al., 18 Aug 2025).
A plausible implication is that FuSaR and these methods target different levels of the reasoning stack. R2D and AdvChain intervene in reasoning dynamics; AltTrain intervenes in reasoning structure; FuSaR intervenes in reasoning content. The data provided does not claim a direct formal unification, but it supports the interpretation that FuSaR occupies a distinct point in the design space.
6. Limitations, failure modes, and research directions
The paper identifies several limitations and implied failure modes (Chen et al., 18 Aug 2025). The training set contains only 1025 examples, constructed from HarmfulQA through rewriting and fuzzification, so coverage of the space of malicious reasoning patterns is limited (Chen et al., 18 Aug 2025). The fuzzification transform is LLM-dependent, and its quality depends on prompting, examples, and the safety profile of the fuzzifier LLM; poor fuzzification can either leave residual dangerous content or over-sanitize the reasoning (Chen et al., 18 Aug 2025). The method also offers no formal guarantee: ASR reductions are empirical, and the fuzzification transform is heuristic rather than proven safe (Chen et al., 18 Aug 2025).
The paper lists four potential failure modes (Chen et al., 18 Aug 2025). Under-protection arises when fuzzification misses subtle but still actionable details, or when harmful logical framing survives despite removal of procedures. Over-degradation of reasoning arises when overly aggressive abstraction removes key reasoning structure and harms generalization. Category mis-classification arises when the system mistakes procedural for logical reasoning or vice versa, leading to the wrong fuzzification strategy. Adaptation to new jailbreak strategies remains possible because attackers may exploit indirect encoding or multi-stage interactions beyond the training distribution (Chen et al., 18 Aug 2025).
The stated and implied research directions include scaling datasets, constructing more systematic fuzzification functions, combining FuSaR with constitutional AI or tool-based safety filters, and improving measurement of reasoning richness versus safety risk in reasoning traces (Chen et al., 18 Aug 2025). Related work suggests several nearby extensions. TARS frames safety–utility balancing with explicit reward branches and adaptive reasoning depth (Kim et al., 1 Jul 2025). R2D suggests finer-grained step-wise safety signals (Zhu et al., 18 Feb 2025). AltTrain suggests that explicit restructuring of the reasoning chain can yield strong safety with lightweight supervision (In et al., 21 Apr 2026). This suggests that a broader safety-reasoning research program may combine content fuzzification, structural editing, and dynamic correction, though such an overview is not claimed in the FuSaR paper itself.
FuSaR is therefore best understood as a data-level alignment strategy for LRMs that preserves reasoning while detoxifying it. Its central claim is that harmful reasoning should not simply be suppressed or replaced by flat refusal, but transformed so that the model can still “think first, then safely reject” (Chen et al., 18 Aug 2025). Within the current LRM alignment landscape, that claim marks a specific and technically distinct conception of how safety and reasoning can be balanced.