We introduce a new class of rate one-half binary codes: complementary information set codes. A binary linear code of length 2n and dimension n is called a complementary information set code (CIS code for short) if it has two disjoint information sets. This class of codes contains self-dual codes as a subclass. It is connected to graph correlation immune Boolean functions of use in the security of hardware implementations of cryptographic primitives. Such codes permit to improve the cost of masking cryptographic algorithms against side channel attacks. In this paper we investigate this new class of codes: we give optimal or best known CIS codes of length < 132. We derive general constructions based on cyclic codes and on double circulant codes. We derive a Varshamov-Gilbert bound for long CIS codes, and show that they can all be classified in small lengths ≤ 12 by the building up construction. Some nonlinear permutations are constructed by using Z 4 -codes, based on the notion of dual distance of an unrestricted code.Keywords: cyclic codes, self-dual codes, dual distance, double circulant codes, Z 4 -codes I. INTRODUCTION Since the seminal work of P. Kocher [18], [19], it is known that the physical implementation of cryptosystems on devices such as smart cards leaks information which can be used in differential power analysis or in other kinds of side channel attacks. These attacks can be devastating if proper counter-measures are not included in the implementation. A kind of counter-measure, which is suitable for both hardware and software cryptographic implementations and does not rely on specific hardware properties is the following. It consists in applying a kind of secret sharing method, changing the variable representation (say x) into randomized shares m 1 , m 2 , . . . , m d+1 called masks such that x = m 1 + m 2 + · · · + m d+1 where + is a group operation -in practice, the XOR. Since the difficulty of performing an attack of order d (involving d + 1 shares) increases exponentially with d, it was believed until recently that for increasing the resistance to attacks, new masks have to be added, thereby increasing the order of the countermeasure, see [25]. But in these schemes, the profusion of masks implies a heavy load on the true random number generator, which significantly degrades the performance of the device. Moreover, the solution in [25] bases itself on a mask refreshing operation for which no secure implementation has been detailed so far. Now, it is shown in [21] that another option consists in encoding some of the masks, which is much less costly than adding fresh masks. At the order 1, this consists in representing x by the ordered pair (F (m), x + m), where F is a well