The CAP Theorem

1. Availability, Consistency, Failure

Distributed systems promise something that centralised systems cannot: the ability to keep working even when parts break. If one server crashes, another takes over. If a network link goes down, traffic is rerouted. This is the intuitive promise — and it is why we build distributed systems in the first place.

But this promise comes at a cost. The same properties that make a system resilient also introduce fundamental limits. The CAP theorem — first articulated by Eric Brewer in 2000 and proved by Seth Gilbert and Nancy Lynch in 2002 — is the most famous of these limits. It states that a shared-data distributed system cannot simultaneously guarantee consistency (all nodes see the same data at the same time), availability (every request gets a response), and partition tolerance (the system works despite network failures).

2. Hiding Failure in Distributed Systems

A central motivation for distribution is the ability to mask failures. As Friedman and Birman (1996) observed, "being able to keep on providing services in spite of failures is supposed to be one of the main benefits of distributed systems over centralised ones." The idea is intuitive: if one component fails or becomes disconnected, another component replaces it, and the outside world never notices.

When a system can hide most of its failures, it appears to be always working — we call it highly available. The key question for system designers becomes: how much failure can a given system sustain before the failure becomes visible to the user?

3. What We Expect from a Distributed System

Gilbert and Lynch (2012) frame our expectations in terms of two classic properties from concurrent and distributed computing:

However, real systems experience power losses, crashes, network failures, message loss, malicious attacks, and Byzantine failures. The environment is unreliable. The tension between what we want (correctness and responsiveness) and the environment we have (unreliable and unpredictable) is the central problem of distributed systems design.

4. Safety vs. Liveness: The Deeper Tradeoff

Gilbert and Lynch (2012) place the CAP theorem in a broader context: "The CAP theorem is one example of a more general tradeoff between safety and liveness in unreliable systems."

Safety properties say "nothing bad happens." In a distributed data store, consistency is a safety property: it says the system must never return stale or conflicting data. Liveness properties say "something good eventually happens." Availability is a liveness property: it says every legitimate request eventually receives a response.

In a reliable system (perfect network, no crashes), safety and liveness can coexist. In an unreliable system — which every real distributed system is — they conflict. This conflict is what CAP captures with precision.

5. CAP at a Glance

Informally, the CAP theorem says: in a distributed application, you can simultaneously provide at most two of the following three properties:

• C — Consistency: All nodes see the same data at the same time. The replicated data is always consistent with each other.
• A — Availability: Every request receives a response, even if some nodes are down.
• P — Partition Tolerance: The system continues operating despite network partitions that break communication between nodes.

Brewer's original formulation (2000) described this as a conjecture about distributed databases. The community quickly recognised its broader significance: any shared-data distributed system must contend with this limit.

"According to the CAP theorem, it is only possible to simultaneously provide any two of the three following properties in distributed applications: consistency (C), availability (A), and partition tolerance (P)." — Shim, 2012

6. The CAP Theorem Formally

Building on Zhao (2014), we can state the three guarantees more precisely:

The theorem itself is an impossibility result: no shared-data distributed system can satisfy all three simultaneously. Understanding why requires defining each term with care and working through the proof.

7. Pick Two — and Why P Is Different

The classic CAP formulation says "pick two." The three options are:

However, as the slides note, the three properties are not symmetric:

• Consistency and availability are spectra: There are many shades of consistency (strong, eventual, causal, read-committed, etc.) and many degrees of availability (five nines, four nines, etc.).
• Partition tolerance is essentially binary: Either your system survives network partitions or it does not. Given the realities of modern infrastructure — especially in IoT, edge, and mobile systems — forfeiting partition tolerance is rarely a realistic option.

8. Interactive: Choose Your CAP Combination

9. Location-Based Games: A CAP Lens

Location-based games — BotFighters, GeoZombie, Ingress, Pokemon Go, Harry Potter: Wizards Unite, Minecraft Earth — are an excellent real-world illustration of CAP tradeoffs. They share a characteristic architecture: millions of mobile players moving through physical space, with game state that depends on location.

Partition tolerance is non-negotiable

Mobile devices are inherently unstable in network connectivity. Players move in and out of coverage. Players concentrate in some areas (special events) and are sparse in others. Scalability is multi-level: not just total player count, but the number of distinct locations and the density of players at each location.

Consistency and availability tension

Game data consistency (goals, achievements, items) is essential to keep players engaged. Location-based games typically use logically-centralised architectures with spatial replication to reduce latency and improve scalability. When strong consistency is required — e.g., for in-game transactions — players may have to wait for servers to confirm the operation. The first casualty is availability: the spinning wheel of death.

10. Case Study: Pokemon Go on Google Cloud

Pokemon Go's architecture (described in Google Cloud's blog) reveals how CAP choices are engineered in a real system serving millions of concurrent players.

1. 1. Content delivery: When a player opens the app, all static media are downloaded from Cloud Storage via Cloud CDN, using Google's global edge network for low-latency delivery.
2. 2. Request routing: Player requests go to an NGINX reverse proxy, which routes them to the Frontend game service hosted on Google Kubernetes Engine (GKE).
3. 3. Spatial backend: The Spatial Query Backend handles location-based features with a cache sharded by location. It decides which Pokemon appear on the map, which gyms and Pokestops are nearby, and which time zone applies.
4. 4. Strong consistency for writes: When a player catches a Pokemon, the Frontend (GKE) sends a write event to Google Spanner — a strongly consistent, globally replicated database. The player waits for the write to complete before getting a response.
5. 5. Logging and analytics: Every player action is recorded in Bigtable (NoSQL) as a Protobuf representation for logging and tracking. It is also published to a Pub/Sub topic for the analysis pipeline.
6. 6. Regional sync: Multiple players in the same geographical region are kept in sync through deterministic map rendering. Even on different machines, same-location players get the same inputs.
7. 7. Shared world: All servers synchronise settings changes and event timings, so players feel they share a consistent world.

Observe the CAP strategy: Spanner provides CP (strong consistency, partition-tolerant by design). The spatial cache and Bigtable provide AP (availability with eventual consistency). The system mixes models based on the operation: in-game transactions require CP, while location data and analytics use AP. This is exactly the kind of "maximise combinations" approach Brewer advocated in 2012.

11. Back to CAP: Definitions for a Proof

To move from conjecture to theorem, we need precise definitions. Gilbert and Lynch (2002) formalised the three concepts:

If the system is available, we get responses. A non-failing node cannot ignore or drop requests; it must reply.

Note: in the CAP context, "consistency" means atomic consistency (linearisability), not the ACID notion of consistency (which encompasses both correctness and isolation). Here, consistency implies that every read returns the most recent write — as if there were only one copy of the data, even though many replicas exist. If the system is consistent, we get correct responses.

Roughly: if node A sends a message to node B but the message does not arrive, the network is partitioned. Availability means B receives the message and responds. Consistency means B's response is correct.

12. The Theorem and Its Proof

Gilbert and Lynch considered three network models: (i) asynchronous network with message loss, (ii) asynchronous network without message loss, and (iii) partially synchronous network with local clocks. For teaching purposes we focus on the asynchronous model: there is no global clock, and nodes act based on local computation and received messages.

The Theorem

Proof by Contradiction

The proof structure is elegant:

1. Assume atomicity, availability, and partition tolerance all hold simultaneously.
2. Partition the network into two disjoint, non-empty sets G₁ and G₂. Communication between them is lost.
3. Let an atomic object o have initial value v₀.
4. Execution α₁: A write of v₁ ≠ v₀ to o occurs in G₁. During α₁, no messages cross the partition.
5. Execution α₂: A read of o occurs in G₂. During α₂, no messages cross the partition.
6. By availability: α₁ completes (the write succeeds in G₁), and α₂ completes (the read returns a value in G₂).
7. By the partition: G₂ never learns about the write. It sees only its local state, which still holds v₀. So the read returns v₀.
8. This violates consistency: A read after the write completed should return v₁ or a later value, not the stale v₀. Contradiction. QED.

The proof shows that any system that tries to guarantee all three properties simultaneously will fail when a partition occurs: it must either block (losing availability) or return stale data (losing consistency).

13. Interactive: Step Through the Proof

14. Building on an Impossibility Result

An impossibility result like CAP might seem discouraging. "Should we stop distributing computational systems?" the slides ask — "in the same way we stopped using axiomatic systems after Godel?"

The answer is clearly no. Negative results set boundaries and reveal the limits of our reach. Understanding what is impossible is what makes good engineering possible: it tells us which tradeoffs are inherent and which are merely accidental. An impossibility result from computer science becomes a guide for engineering methods and practices.

15. Partition-Aware Design: Switch Strategy

Brewer himself later refined the CAP theorem (Brewer, 2012), adding crucial nuance:

1. When the network is partitioned, a distributed system must choose a tradeoff between consistency and availability.
2. When there is no partition, a system can feature both consistency and availability.

This means the choice is not a permanent architectural decision but a runtime strategy. A well-designed system detects partitions and switches behaviour accordingly:

This partition-aware approach is the modern interpretation of CAP — not a static choice, but a dynamic policy that maximises consistency and availability given the current network conditions.

16. ACID vs. BASE

The traditional ACID semantics (Atomicity, Consistency, Isolation, Durability) were designed for centralised databases with strong assumptions. Fox et al. (1997) argued that for many Internet services, ACID is too strong — and proposed an alternative.

The contrast is stark:

17. Beyond BASE: Cloud Consistency Today

Most cloud services today adopt BASE — eBay, Amazon DynamoDB, and many others. However, the landscape has evolved beyond a simple ACID vs. binary choice:

• Amazon S3 now allows for strong read-after-write consistency (not just eventual). The same object store can serve both strongly consistent and eventually consistent workloads.
• Amazon DynamoDB writes are eventually consistent by default; reads are eventually consistent too. But strongly consistent reads can be configured — at a higher cost. This exposes CAP as a cost-performance tradeoff, not just a correctness choice.
• Systems increasingly mask inconsistencies from users through client-side caching, version vectors, and reconciliation logic.

Newer models — such as consistent soft-state replication (Birman et al., 2012) — attempt to bridge the gap, offering stronger guarantees than eventual consistency while preserving availability. The lesson is that CAP is not a static law but a design constraint that modern systems navigate with increasing sophistication.

18. State Explorer: Consistency vs. Availability Tradeoff

Use this state explorer to understand how the system moves through different consistency-availability regimes as the network condition changes.

19. Lessons Learnt

The CAP theorem is a cornerstone of distributed systems theory. The key takeaways:

• In the design and development of distributed systems, we must typically choose between a responsive system and a fully-consistent one when the network fails.
• We can leverage CAP to design systems with different features depending on system status — partition-aware design turns an impossibility result into an engineering strategy.
• ACID is the traditional model for reliable data management, but less stringent models — in particular, BASE — are both theoretically justified and practically useful in real-world distributed systems where availability matters more than immediate consistency.
• The CAP theorem, like all impossibility results in computer science, does not paralyse us — it informs our engineering choices and helps us understand the fundamental boundaries of what distributed systems can achieve.

Check Your Understanding