1. Known-key security
An outsider cannot compute the current session key even he knows some previous session keys.
2. Perfect forward secrecy
The compromise of the private keys of both the participating entities does not affect the security of the previous session keys.
3. Key-compromise impersonation resistance
Even though the client’s long-term private key is compromised, an adversary, who obtained the private key, cannot masquerade the server S and obtain the resulting session key.