You have to store something in order to provide a secure captcha. If you don't store anything, a malicious user agent could always return the same combination of text and encrypted data, and it would always pass.

You could limit that with timestamps, but then you force all legitimate users to respond in a timely fashion - not a good idea.