I plan on storing data, encrypted with AES256, where the first dozen bytes are known plaintext. ('Hello World!' for example.)
Does having this known plaintext prefix weaken AES256?
I do not care about modifications being made to the ciphertext, which result in modifications to the decrypted plaintext.
I do care about an attacker being able to decrypt any plaintext beyond the known plaintext prefix.
I expect to use counter mode, as random access is required. Does GCM have any advantage?
AES-256 has sustained 15 years of cryptanalysis, and it can be stated that no knowledge of some plaintext bytes would help to reveal the other bytes no matter what mode of operation (CBC, CTR, etc.) is used.
AES-GCM is an authenticated encryption scheme that allows a key holder to detect any modification that has been done to the ciphertext. If you do not care about such modifications (which are easy in the Counter mode), then you do not have to use GCM. However, if you can use it, I would definitely recommend doing so.
When using CTR Mode the AES is used to generate a kind of key stream which itself is the XORed to your plaintext. So AES is actually encrypting an incrementing counter.
At the moment there is no known attack, that would yield E(N) if you do know E(N-1), where N is the aforementioned counter. So this should be safe.
But be aware, as the plaintext is XORed with the key stream it is easy to flip specific bytes ! So an attacker would be able to change e.g. some numbers, if the underlying plaintext format is known or can be guessed.
If you do not want to use GCM or some other AEAD scheme I would advice to attach a MAC (HMAC or CMAC) to your cipher text. But remember, Encrypt-then-MAC.
