That's what I mean, if his site was targeted specifically no matter what you have in that hidden field (encrypted or not) he'll keep getting those registration.

For someone who would want to flood his form, he can spend 1 day fetching that form page 1 time/sec and save the "encrypted data" of that form, and in the next day he can do '86400' successful registration according to your method.

if he locks it up to maximum of 1 hour , then it's 3600 successful registration per hour.

if he's specifically targeted the only possible way is using 'recaptcha' and if that doesn't work , I would suggest saving the requesting ips and block them using .htaccess file "Deny from xxx.xxx.xxx.xxx"