I don't think performance is the issue. A heavy static file serving workload (like a CDN) is either I/O bound or memory bound, depending on whether data set can fit in cache and the network situation.
The HMAC verification is just doing MD5/SHA1 hashes and comparing for equality, which all CPU (and really CPU, not CPU + memory, since the data is so small). It's tens of microseconds of CPU implemented in JavaScript (Table II). I'm sure it will be single digit microseconds or less implemented in C, so that's at least 100K - 1M req/s. The CPU will be negligible compared to the rest of the workload.
The performance issues with naive solutions for auth of static files are pretty different: hitting databases for auth checks, copying data through two process, context switches, etc. Those are things likely to slow down a static file serving workload.
There is some extra "complexity", but I think it's almost the simplest solution you can think of for auth, even ignoring performance. It's a lot simpler and more robust than say putting a database in the request path.
The implementation isn't as big as it may appear. There is an open source library that is less than 2K lines of C:
What I described is probably 200 lines of C or less. Again you are just verifying an HMAC chain. And the code for hash functions is stuff that probably already appears in all web servers anyway. It's using only the simpler "first party caveats" and not the "third party caveats".
