Tor is replacing their algorithm for encrypting traffic with something called Counter Galois Onion, because their prior algorithm was vulnerable to tagging attacks which they describe as
Tagging attacks enable an active adversary to trace traffic by modifying it in one place on the network, and observing predicatable changes in another. Even when tagging attacks don't succeed immediately, their side effects can give the attacker more and more opportunities to retry.
afaict their prior algorithm gives each cell a symmetric key and digest and that digest was malleable enough that it could allow for deanonymization on retries.
An attacker can use this attack to ensure that they control both ends of the circuit. They XOR a pattern onto a cell at one end, and then see if any garbled cells at the other end become clear when whey remove that same pattern. Any circuits with an honest endpoint will fail (and not be deanonymized), but the client will retry them until they eventually choose a malicious endpoint.