This happens all the time. It's not only with cryptographic functions, but also with .exe file packers.
And sometimes, it happens even when you don't add or change anything to your program. Sometimes a simple re-compile with a new compiler is enough.
A few years ago, when I actually cared, I used to send submissions to the big antivirus companies to prove that there's nothing wrong with my applications.
These days, I simply don't care. I have neither the time nor patience to chase these people and tell them to get their sh*t together and stop identifying things as viruses unless they really ARE viruses.
As far as what to do with your customers, it's fairly simple. Send them a couple of links which explain how and why virus engines are constantly producing false negatives. And also tell them to use common sense: "We're not in the habit of infecting our customers with viruses. That would be very bad for business."