The above diagram shows the identity exchanged between UE and Network.
1. During initial registration UE will encrypt SUPI in SUCI and send it to gNB.
2. gNB will then forward it to AMF.
3. AMF will forward it to AUSF and UDM to get SUPI as Authentication Request
4. UDM will decrypt SUPI and AUSF will send SUPI to AMF in Authentication Response.
5. AMF will generate GUTI and keep map of SUCI and GUTI. The mapping is done because of further registrations or PDU session requests.
6. Then AMF will send Registration Accept with GUTI.
7. From now on, UE whenever it is sending subsequent registration request, then it will send GUTI.
Now for the subsequent registration requests, UE will send GUTI.
There can be 2 cases in AMF:
Case 1: AMF is able to generate SUPI from GUTI and SUCI: In that case, the authentication can be done using SUCI.
Case 2: If AMF is not able to generate SUPI from GUTI and SUCI, then AMF will send Identity Request to UE and then it will continue with the Authentication procedure.
Usually this case occurs, then UE moves from one AMF to another AMF, then the new AMF will not be having the GUTI, SUCI mapping.