diff --git a/Cargo.lock b/Cargo.lock
index 696055c1..c683ee0b 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -177,11 +177,12 @@ dependencies = [
 
 [[package]]
 name = "base58ck"
-version = "0.2.0"
-source = "git+https://github.com/rust-bitcoin/rust-bitcoin?rev=436de8ef12ab371aab6e9f6fbfb098238b42657d#436de8ef12ab371aab6e9f6fbfb098238b42657d"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed6a87a8367e7a4248c8dfd783c37ef492bca1307cd4b21b4cfad9cfd15bf060"
 dependencies = [
  "bitcoin-internals",
- "bitcoin_hashes 0.16.0",
+ "bitcoin_hashes 0.20.0",
 ]
 
 [[package]]
@@ -232,25 +233,40 @@ checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb"
 
 [[package]]
 name = "bitcoin"
-version = "0.33.0-alpha.0"
-source = "git+https://github.com/rust-bitcoin/rust-bitcoin?rev=436de8ef12ab371aab6e9f6fbfb098238b42657d#436de8ef12ab371aab6e9f6fbfb098238b42657d"
+version = "0.33.0-beta"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "517161def4ca8527bfc4ba36efe5b40923024f73308a1f9c0fc5cca1bee2f536"
 dependencies = [
  "base58ck",
+ "base64 0.22.1",
  "bech32 0.11.0",
+ "bitcoin-consensus-encoding",
  "bitcoin-internals",
- "bitcoin-io 0.2.0",
+ "bitcoin-io 0.5.0",
+ "bitcoin-network-kind",
  "bitcoin-primitives",
  "bitcoin-units",
- "bitcoin_hashes 0.16.0",
+ "bitcoin_hashes 0.20.0",
  "bitcoinconsensus",
  "hex-conservative 0.3.0",
- "secp256k1",
+ "hex-conservative 1.0.1",
+ "secp256k1 0.32.0-beta.2",
+]
+
+[[package]]
+name = "bitcoin-consensus-encoding"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e8d7ca3dc8ff835693ad73bf1596240c06f974a31eeb3f611aaedf855f1f2725"
+dependencies = [
+ "bitcoin-internals",
 ]
 
 [[package]]
 name = "bitcoin-internals"
-version = "0.4.0"
-source = "git+https://github.com/rust-bitcoin/rust-bitcoin?rev=436de8ef12ab371aab6e9f6fbfb098238b42657d#436de8ef12ab371aab6e9f6fbfb098238b42657d"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a30a22d1f112dde8e16be7b45c63645dc165cef254f835b3e1e9553e485cfa64"
 dependencies = [
  "hex-conservative 0.3.0",
 ]
@@ -263,29 +279,46 @@ checksum = "340e09e8399c7bd8912f495af6aa58bea0c9214773417ffaa8f6460f93aaee56"
 
 [[package]]
 name = "bitcoin-io"
-version = "0.2.0"
-source = "git+https://github.com/rust-bitcoin/rust-bitcoin?rev=436de8ef12ab371aab6e9f6fbfb098238b42657d#436de8ef12ab371aab6e9f6fbfb098238b42657d"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6fb823712b12e5cfccdb9a2b6a62de2dc42ddb5ec489511025eebeba1c21829"
+dependencies = [
+ "bitcoin-consensus-encoding",
+ "bitcoin-internals",
+ "bitcoin_hashes 0.20.0",
+]
+
+[[package]]
+name = "bitcoin-network-kind"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f85911fdff634a2e65f8175a54e609172a718d385ab4da87937f166d37eef4a3"
 dependencies = [
  "bitcoin-internals",
- "bitcoin_hashes 0.16.0",
+ "serde",
 ]
 
 [[package]]
 name = "bitcoin-primitives"
-version = "0.101.0"
-source = "git+https://github.com/rust-bitcoin/rust-bitcoin?rev=436de8ef12ab371aab6e9f6fbfb098238b42657d#436de8ef12ab371aab6e9f6fbfb098238b42657d"
+version = "0.102.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "48379e4d9a4456c038d78551ccbb8a3d7f9514c799f51ae815a6e947d64c9efe"
 dependencies = [
+ "bitcoin-consensus-encoding",
  "bitcoin-internals",
  "bitcoin-units",
- "bitcoin_hashes 0.16.0",
+ "bitcoin_hashes 0.20.0",
  "hex-conservative 0.3.0",
+ "hex-conservative 1.0.1",
 ]
 
 [[package]]
 name = "bitcoin-units"
-version = "0.2.0"
-source = "git+https://github.com/rust-bitcoin/rust-bitcoin?rev=436de8ef12ab371aab6e9f6fbfb098238b42657d#436de8ef12ab371aab6e9f6fbfb098238b42657d"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4fe8fafd73be14659c450deb64f90d2fd5a354fce366a01223a8319cf4d98b40"
 dependencies = [
+ "bitcoin-consensus-encoding",
  "bitcoin-internals",
  "serde",
 ]
@@ -302,9 +335,11 @@ dependencies = [
 
 [[package]]
 name = "bitcoin_hashes"
-version = "0.16.0"
-source = "git+https://github.com/rust-bitcoin/rust-bitcoin?rev=436de8ef12ab371aab6e9f6fbfb098238b42657d#436de8ef12ab371aab6e9f6fbfb098238b42657d"
+version = "0.20.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a8a45c2b41c457a9a9e4670422fcbdf109afb3b22bc920b4045e8bdfd788a3d"
 dependencies = [
+ "bitcoin-consensus-encoding",
  "bitcoin-internals",
  "hex-conservative 0.3.0",
 ]
@@ -620,7 +655,7 @@ dependencies = [
  "rpassword",
  "rustyline",
  "rustyline-derive",
- "secp256k1",
+ "secp256k1 0.30.0",
  "serde",
  "serde_derive",
  "serde_json",
@@ -664,7 +699,7 @@ dependencies = [
  "ckb-fixed-hash",
  "faster-hex",
  "rand 0.8.5",
- "secp256k1",
+ "secp256k1 0.30.0",
  "thiserror",
 ]
 
@@ -919,7 +954,7 @@ dependencies = [
  "log",
  "lru",
  "reqwest",
- "secp256k1",
+ "secp256k1 0.30.0",
  "serde",
  "serde_derive",
  "serde_json",
@@ -947,7 +982,7 @@ dependencies = [
  "parking_lot 0.11.2",
  "rand 0.7.3",
  "scrypt",
- "secp256k1",
+ "secp256k1 0.30.0",
  "serde_json",
  "thiserror",
  "tiny-keccak",
@@ -1596,9 +1631,9 @@ dependencies = [
 
 [[package]]
 name = "futures-channel"
-version = "0.3.30"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eac8f7d7865dcb88bd4373ab671c8cf4508703796caa2b1985a9ca867b3fcb78"
+checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d"
 dependencies = [
  "futures-core",
  "futures-sink",
@@ -1606,9 +1641,9 @@ dependencies = [
 
 [[package]]
 name = "futures-core"
-version = "0.3.30"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dfc6580bb841c5a68e9ef15c77ccc837b40a7504914d52e47b8b0e9bbda25a1d"
+checksum = "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d"
 
 [[package]]
 name = "futures-executor"
@@ -1624,15 +1659,15 @@ dependencies = [
 
 [[package]]
 name = "futures-io"
-version = "0.3.30"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a44623e20b9681a318efdd71c299b6b222ed6f231972bfe2f224ebad6311f0c1"
+checksum = "cecba35d7ad927e23624b22ad55235f2239cfa44fd10428eecbeba6d6a717718"
 
 [[package]]
 name = "futures-macro"
-version = "0.3.30"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87750cf4b7a4c0625b1529e4c543c2182106e4dedc60a2a6455e00d212c489ac"
+checksum = "e835b70203e41293343137df5c0664546da5745f82ec9b84d40be8336958447b"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -1641,21 +1676,21 @@ dependencies = [
 
 [[package]]
 name = "futures-sink"
-version = "0.3.30"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9fb8e00e87438d937621c1c6269e53f536c14d3fbd6a042bb24879e57d474fb5"
+checksum = "c39754e157331b013978ec91992bde1ac089843443c49cbc7f46150b0fad0893"
 
 [[package]]
 name = "futures-task"
-version = "0.3.30"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "38d84fa142264698cdce1a9f9172cf383a0c82de1bddcf3092901442c4097004"
+checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393"
 
 [[package]]
 name = "futures-util"
-version = "0.3.30"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3d6401deb83407ab3da39eba7e33987a73c3df0c82b4bb5813ee871c19c41d48"
+checksum = "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6"
 dependencies = [
  "futures 0.1.31",
  "futures-channel",
@@ -1664,9 +1699,9 @@ dependencies = [
  "futures-macro",
  "futures-sink",
  "futures-task",
+ "libc",
  "memchr",
  "pin-project-lite",
- "pin-utils",
  "slab",
 ]
 
@@ -1713,6 +1748,18 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "getrandom"
+version = "0.3.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd"
+dependencies = [
+ "cfg-if 1.0.0",
+ "libc",
+ "r-efi",
+ "wasip2",
+]
+
 [[package]]
 name = "gimli"
 version = "0.29.0"
@@ -1838,6 +1885,12 @@ dependencies = [
  "arrayvec 0.7.4",
 ]
 
+[[package]]
+name = "hex-conservative"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "366fa3443ac84474447710ec17bb00b05dfbd096137817981e86f992f21a2793"
+
 [[package]]
 name = "hmac"
 version = "0.7.1"
@@ -2967,12 +3020,6 @@ version = "0.2.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bda66fc9667c18cb2758a2ac84d1167245054bcf85d5d1aaa6923f45801bdd02"
 
-[[package]]
-name = "pin-utils"
-version = "0.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
-
 [[package]]
 name = "pkg-config"
 version = "0.3.30"
@@ -3079,6 +3126,12 @@ dependencies = [
  "proc-macro2",
 ]
 
+[[package]]
+name = "r-efi"
+version = "5.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
+
 [[package]]
 name = "radix_trie"
 version = "0.2.1"
@@ -3146,6 +3199,16 @@ dependencies = [
  "rand_core 0.6.4",
 ]
 
+[[package]]
+name = "rand"
+version = "0.9.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea"
+dependencies = [
+ "rand_chacha 0.9.0",
+ "rand_core 0.9.5",
+]
+
 [[package]]
 name = "rand_chacha"
 version = "0.1.1"
@@ -3176,6 +3239,16 @@ dependencies = [
  "rand_core 0.6.4",
 ]
 
+[[package]]
+name = "rand_chacha"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
+dependencies = [
+ "ppv-lite86",
+ "rand_core 0.9.5",
+]
+
 [[package]]
 name = "rand_core"
 version = "0.3.1"
@@ -3209,6 +3282,15 @@ dependencies = [
  "getrandom 0.2.16",
 ]
 
+[[package]]
+name = "rand_core"
+version = "0.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c"
+dependencies = [
+ "getrandom 0.3.4",
+]
+
 [[package]]
 name = "rand_hc"
 version = "0.1.0"
@@ -3605,7 +3687,17 @@ checksum = "b50c5943d326858130af85e049f2661ba3c78b26589b8ab98e65e80ae44a1252"
 dependencies = [
  "bitcoin_hashes 0.14.0",
  "rand 0.8.5",
- "secp256k1-sys",
+ "secp256k1-sys 0.10.0",
+]
+
+[[package]]
+name = "secp256k1"
+version = "0.32.0-beta.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3c5fdc7d6e800869d3fd60ff857c479bf0a83ea7bf44b389e64461e844204994"
+dependencies = [
+ "rand 0.9.4",
+ "secp256k1-sys 0.12.0",
 ]
 
 [[package]]
@@ -3617,6 +3709,15 @@ dependencies = [
  "cc",
 ]
 
+[[package]]
+name = "secp256k1-sys"
+version = "0.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6d3be00697c88c00fe102af8dc316038cc2062eab8da646e7463f4c0e70ca9fd"
+dependencies = [
+ "cc",
+]
+
 [[package]]
 name = "security-framework"
 version = "2.11.1"
@@ -4404,6 +4505,15 @@ version = "0.11.0+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
 
+[[package]]
+name = "wasip2"
+version = "1.0.3+wasi-0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "20064672db26d7cdc89c7798c48a0fdfac8213434a1186e5ef29fd560ae223d6"
+dependencies = [
+ "wit-bindgen",
+]
+
 [[package]]
 name = "wasm-bindgen"
 version = "0.2.100"
@@ -4695,6 +4805,12 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
 
+[[package]]
+name = "wit-bindgen"
+version = "0.57.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1ebf944e87a7c253233ad6766e082e3cd714b5d03812acc24c318f549614536e"
+
 [[package]]
 name = "writeable"
 version = "0.6.1"
diff --git a/Cargo.toml b/Cargo.toml
index 23f48b2c..de32a8a6 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -30,7 +30,7 @@ jsonrpc-derive = "18"
 jsonrpc-http-server = "18"
 jsonrpc-server-utils = "18"
 secp256k1 = { version = "0.30.0", features = ["recovery"] }
-bitcoin = { git="https://github.com/rust-bitcoin/rust-bitcoin", rev="436de8ef12ab371aab6e9f6fbfb098238b42657d" }
+bitcoin = "0.33.0-beta"
 faster-hex = "0.6"
 env_logger = "0.6"
 crossbeam-channel = "0.5.8"
diff --git a/ckb-signer/Cargo.toml b/ckb-signer/Cargo.toml
index b9c772ac..3b1df5b8 100644
--- a/ckb-signer/Cargo.toml
+++ b/ckb-signer/Cargo.toml
@@ -18,7 +18,7 @@ scrypt = "0.2.0"
 rand = "0.7.3"
 tiny-keccak = "1.4"
 uuid = { version = "0.7.4", features = ["v4"] }
-bitcoin = { git="https://github.com/rust-bitcoin/rust-bitcoin", rev="436de8ef12ab371aab6e9f6fbfb098238b42657d" }
+bitcoin = "0.33.0-beta"
 chrono = "0.4"
 thiserror = "1.0.30"
 parking_lot = "0.11"
diff --git a/ckb-signer/src/keystore/mod.rs b/ckb-signer/src/keystore/mod.rs
index 2ca391d0..b235739e 100644
--- a/ckb-signer/src/keystore/mod.rs
+++ b/ckb-signer/src/keystore/mod.rs
@@ -584,9 +584,10 @@ impl CkbRoot {
         let parent_fingerprint = Default::default();
         let child_number = ChildNumber::from_hardened_idx(0).expect("child number");
         let pubkey_bin = util::get_hex_bin(value, "pubkey")?;
-        let public_key = secp256k1::PublicKey::from_slice(&pubkey_bin[..]).map_err(|err| {
-            Error::ParseJsonFailed(format!("Invalid pubkey for ckb root: {}", err))
-        })?;
+        let public_key =
+            bitcoin::secp256k1::PublicKey::from_slice(&pubkey_bin[..]).map_err(|err| {
+                Error::ParseJsonFailed(format!("Invalid pubkey for ckb root: {}", err))
+            })?;
         let chain_code_bin = util::get_hex_bin(value, "chain_code")?;
         if chain_code_bin.len() != 32 {
             return Err(Error::ParseJsonFailed(format!(
@@ -676,10 +677,7 @@ impl CkbRoot {
             ChildNumber::from_normal_idx(index).expect("normal child"),
         ];
         let path = DerivationPath::from(children);
-        let extended_pubkey = self
-            .extended_pubkey
-            .derive_pub(&SECP256K1, &path)
-            .expect("derive_pub");
+        let extended_pubkey = self.extended_pubkey.derive_pub(&path).expect("derive_pub");
         let full_path_string = format!("{}/{}/{}", CKB_ROOT_PATH, chain as u8, index);
         let full_path =
             DerivationPath::from_str(full_path_string.as_str()).expect("parse full path");
@@ -858,10 +856,13 @@ impl MasterPrivKey {
             depth: 0,
             parent_fingerprint: Default::default(),
             child_number: ChildNumber::Normal { index: 0 },
-            private_key: self.secp_secret_key,
+            private_key: bitcoin::secp256k1::SecretKey::from_secret_bytes(
+                self.secp_secret_key.secret_bytes(),
+            )
+            .expect("valid secp256k1 secret key"),
             chain_code: ChainCode::from(&self.chain_code),
         };
-        sk.derive_priv(&SECP256K1, path)
+        sk.derive_priv(path).expect("derive_priv")
     }
 
     pub fn sign<P>(&self, message: &H256, path: &P) -> Signature
@@ -871,7 +872,9 @@ impl MasterPrivKey {
         let message = secp256k1::Message::from_digest_slice(message.as_bytes())
             .expect("Convert to message failed");
         let sub_sk = self.sub_privkey(path);
-        SECP256K1.sign_ecdsa(&message, &sub_sk.private_key)
+        let private_key = secp256k1::SecretKey::from_slice(&sub_sk.private_key.to_secret_bytes())
+            .expect("valid secp256k1 secret key");
+        SECP256K1.sign_ecdsa(&message, &private_key)
     }
 
     pub fn sign_recoverable<P>(&self, message: &H256, path: &P) -> RecoverableSignature
@@ -881,7 +884,9 @@ impl MasterPrivKey {
         let message = secp256k1::Message::from_digest_slice(message.as_bytes())
             .expect("Convert to message failed");
         let sub_sk = self.sub_privkey(path);
-        SECP256K1.sign_ecdsa_recoverable(&message, &sub_sk.private_key)
+        let private_key = secp256k1::SecretKey::from_slice(&sub_sk.private_key.to_secret_bytes())
+            .expect("valid secp256k1 secret key");
+        SECP256K1.sign_ecdsa_recoverable(&message, &private_key)
     }
 
     pub fn extended_pubkey<P>(&self, path: &P) -> Xpub
@@ -889,7 +894,7 @@ impl MasterPrivKey {
         P: AsRef<[ChildNumber]>,
     {
         let sub_sk = self.sub_privkey(path);
-        Xpub::from_priv(&SECP256K1, &sub_sk)
+        Xpub::from_priv(&sub_sk)
     }
 
     pub fn ckb_root(&self) -> CkbRoot {
@@ -906,7 +911,9 @@ impl MasterPrivKey {
         P: AsRef<[ChildNumber]>,
     {
         let sub_sk = self.sub_privkey(path);
-        let pubkey = secp256k1::PublicKey::from_secret_key(&SECP256K1, &sub_sk.private_key);
+        let private_key = secp256k1::SecretKey::from_slice(&sub_sk.private_key.to_secret_bytes())
+            .expect("valid secp256k1 secret key");
+        let pubkey = secp256k1::PublicKey::from_secret_key(&SECP256K1, &private_key);
         H160::from_slice(&blake2b_256(&pubkey.serialize()[..])[0..20])
             .expect("Generate hash(H160) from pubkey failed")
     }
diff --git a/deny.toml b/deny.toml
index 36497dc8..e2e4b36c 100644
--- a/deny.toml
+++ b/deny.toml
@@ -70,9 +70,10 @@ feature-depth = 1
 # A list of advisory IDs to ignore. Note that ignored advisories will still
 # output a note when they are encountered.
 ignore = [
-    "RUSTSEC-2021-0145",
+    "RUSTSEC-2021-0145", # atty: Windows unaligned read; migrate away from atty in follow-up
     "RUSTSEC-2024-0421", # https://rustsec.org/advisories/RUSTSEC-2024-0421
-    "RUSTSEC-2026-0009" # CVE: RFC2822 parser stack recursion in time 0.3.41
+    "RUSTSEC-2026-0009", # CVE: RFC2822 parser stack recursion in time 0.3.41
+    "RUSTSEC-2026-0097" # rand 0.7.3; transitive through older dependency stack
     #"RUSTSEC-0000-0000",
     #{ id = "RUSTSEC-0000-0000", reason = "you can specify a reason the advisory is ignored" },
     #"a-crate-that-is-yanked@0.1.1", # you can also ignore yanked crate versions if you wish