The Bluetooth standard does not use RC4 but rather the stream cipher E0, which
is specifically designed to run over a Bluetooth wireless packet network. A
unique encryption key is generated for each session, from which per-packet keys
are derived, in a manner that avoids the problem in 802.11b caused by frequent
reuse of per-packet keys.
Direct attacks on the E0 cipher are known but are of significant complexity.
Jakobsson and Wetzel present two such attacks  the first is of 2100 complexity,
the second is a “birthday-type attack” of 266overall complexity. Fluher and Lukas
 present an attack using observed keystream and the public knowledge of the
encryption mechanism used in E0 to compute the encryption key. Their method
requires from O(273) to O(284), depending on how much cleartext is available for
the algorithm. They contend that the upper limit of E0 is actually about 80 bits
and question the extension of the E0 key size to 128 bits as suggested in the
Bluetooth specification . As discussed by Jakobsson and Wetzel , attacks
with a high order of complexity are not of practical value, but may point the way
to a more efficient attack. As yet, a more efficient direct attack on E0 has not
Like RC4, E0 required a ciphering key. The ciphering key is computed as a hash
of a random number, the link key and a byproduct of the authentication
procedure the Authentication Ciphering Offset (ACO).
While the link key is also used to generate a ciphering key used for data
encryption, it is not used for data encryption itself. This is a significant advantage
over 802.11b in which the same key is used for authentication and encryption.
In summary the known attacks on the E0 cipher used in Bluetooth are far
more computationally complex then corresponding attacks on RC4 used in
802.11b. As yet, no practical direct attack has been reported. Also, unlike
802.11b, different keys are used for authentication and encryption.
Accordingly practical studies on Bluetooth security have been focused on
methods to guess or steal the key (or at least a portion of it). The most
logical time to attempt this is during the pairing procedure.