Fresh re-keying is a type of protocol which aims at splitting the task of protecting an encryption/authentication scheme against side-channel attacks in two parts. One part, a re-keying function, has to satisfy a minimum set of properties (such as good diffusion), and is based on an algebraic structure that is easy to protect against side-channel attacks with countermeasures such as masking. The other part, a block cipher, brings resistance against mathematical cryptanalysis, and only has to be secure against singlemeasurement attacks. Since fresh re-keying schemes are cheap and stateless, they are convenient to use in practice and do not require any synchronization between communication parties. However, it has been shown that their first instantiation (from Africacrypt 2010) only provides birthday security because of a (mathematical only) collision-based key recovery attack recently put forward by Dobraunig et al. (CARDIS 2014). In this paper, we provide two provably secure (in the...