Reference: 3GPP TS 24.301 V8.0.0 (2008-12)
The NAS COUNT counters use 24 bit internal representation and are independently maintained by UE and MME. The NAS COUNT is constructed as a NAS sequence number (least significant bits) concatenated with a NAS overflow counter (most significant bits). When NAS COUNT is input to NAS ciphering or NAS integrity algorithms it is considered to be a 32-bit entity where the most significant bits are padded with zeros.
The network NAS COUNT shall be initialized to zero in the first SECURITY MODE COMMAND when a new security context is activated following a successful authentication and key agreement (AKA) procedure. The UE NAS COUNT shall be initialized to zero when the UE receives the first SECURITY MODE COMMAND message after a successful AKA procedure and uses it in the following SECURITY MODE COMPLETE message.
The NAS sequence number part of the NAS COUNT is exchanged between the UE and the MME as part of the NAS signalling. After each new or retransmitted outbound NAS message, the sender shall always increase the NAS COUNT number by one. Specifically, the NAS sequence number is increased by one, and if the result is zero (due to wrap around), the NAS overflow counter is also incremented by one. The receiving side estimates the NAS COUNT used by the sending side. Specifically, if the NAS sequence number wraps around, the NAS overflow counter is incremented by one.