This work addresses the safety behavior mismatch of large language models (LLMs) on long-tailed distributions—particularly cryptographic text—where conventional safety mechanisms fail. We propose a two-dimensional evaluation framework: “instruction refusal” and “generation safety.” Leveraging a cryptography-driven long-tailed test suite, we systematically assess pre-trained and post-trained models via adversarial prompt engineering, fine-grained response classification, and attribution analysis. Our findings reveal an implicit conflict between decryption capability and safety alignment: models either generate harmful content or over-refuse legitimate instructions; enhancing refusal alone neglects generation-layer risks. This study establishes the first empirically grounded, dual-dimensional evaluation paradigm for LLM safety, uncovering novel failure modes of safety mechanisms under long-tailed data. It provides a reproducible benchmark and theoretical insights for robust, safety-aware LLM design. (136 words)

This paper presents a systematic evaluation of Large Language Models' (LLMs) behavior on long-tail distributed (encrypted) texts and their safety implications. We introduce a two-dimensional framework for assessing LLM safety: (1) instruction refusal-the ability to reject harmful obfuscated instructions, and (2) generation safety-the suppression of generating harmful responses. Through comprehensive experiments, we demonstrate that models that possess capabilities to decrypt ciphers may be susceptible to mismatched-generalization attacks: their safety mechanisms fail on at least one safety dimension, leading to unsafe responses or over-refusal. Based on these findings, we evaluate a number of pre-LLM and post-LLM safeguards and discuss their strengths and limitations. This work contributes to understanding the safety of LLM in long-tail text scenarios and provides directions for developing robust safety mechanisms.